mirror of
				https://github.com/tobychui/zoraxy.git
				synced 2025-10-25 03:54:04 +02:00 
			
		
		
		
	-Add support for including Subject Alternative Names (SANs) from
existing certificates during both manual and automatic renewals. -Enhance filtering and normalization of domain names from the UI to ensure only valid domains are included when requesting certificates.
This commit is contained in:
		| @@ -432,6 +432,21 @@ func (a *ACMEHandler) HandleGetExpiredDomains(w http.ResponseWriter, r *http.Req | |||||||
| // to renew the certificate, and sends a JSON response indicating the result of the renewal process. | // to renew the certificate, and sends a JSON response indicating the result of the renewal process. | ||||||
| func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Request) { | func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Request) { | ||||||
| 	domainPara, err := utils.PostPara(r, "domains") | 	domainPara, err := utils.PostPara(r, "domains") | ||||||
|  | 	 | ||||||
|  | 	//Clean each domain | ||||||
|  | 	cleanedDomains := []string{} | ||||||
|  | 	if (domainPara != "") { | ||||||
|  | 		for _, d := range strings.Split(domainPara, ",") { | ||||||
|  | 			// Apply normalization on each domain | ||||||
|  | 			nd, err := NormalizeDomain(d) | ||||||
|  | 			if err != nil { | ||||||
|  | 				utils.SendErrorResponse(w, jsonEscape(err.Error())) | ||||||
|  | 				return | ||||||
|  | 			}	 | ||||||
|  | 			cleanedDomains = append(cleanedDomains, nd)  | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		utils.SendErrorResponse(w, jsonEscape(err.Error())) | 		utils.SendErrorResponse(w, jsonEscape(err.Error())) | ||||||
| 		return | 		return | ||||||
| @@ -492,7 +507,6 @@ func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Requ | |||||||
| 		dns = true | 		dns = true | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	domains := strings.Split(domainPara, ",") |  | ||||||
|  |  | ||||||
| 	// Default propagation timeout is 300 seconds | 	// Default propagation timeout is 300 seconds | ||||||
| 	propagationTimeout := 300 | 	propagationTimeout := 300 | ||||||
| @@ -511,11 +525,30 @@ func (a *ACMEHandler) HandleRenewCertificate(w http.ResponseWriter, r *http.Requ | |||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	//Clean spaces in front or behind each domain | 	// Extract SANs from existing PEM to ensure all domains are included | ||||||
| 	cleanedDomains := []string{} | 	pemPath := fmt.Sprintf("./conf/certs/%s.pem", filename) | ||||||
| 	for _, domain := range domains { | 	sanDomains, err := ExtractDomainsFromPEM(pemPath) | ||||||
| 		cleanedDomains = append(cleanedDomains, strings.TrimSpace(domain)) | 	if err == nil { | ||||||
|  | 		// Merge domainPara + SANs | ||||||
|  | 		domainSet := map[string]struct{}{} | ||||||
|  | 		for _, d := range cleanedDomains { | ||||||
|  | 			domainSet[d] = struct{}{} | ||||||
| 		} | 		} | ||||||
|  | 		for _, d := range sanDomains { | ||||||
|  | 			domainSet[d] = struct{}{} | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		// Rebuild cleanedDomains with all unique domains | ||||||
|  | 		cleanedDomains = []string{} | ||||||
|  | 		for d := range domainSet { | ||||||
|  | 			cleanedDomains = append(cleanedDomains, d) | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		a.Logf("Renewal domains including SANs from PEM: "+strings.Join(cleanedDomains, ","), nil) | ||||||
|  | 	} else { | ||||||
|  | 		a.Logf("Could not extract SANs from PEM, using domainPara only", err) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  |  | ||||||
| 	// Extract DNS servers from the request | 	// Extract DNS servers from the request | ||||||
| 	var dnsServers []string | 	var dnsServers []string | ||||||
|   | |||||||
| @@ -397,6 +397,15 @@ func (a *AutoRenewer) renewExpiredDomains(certs []*ExpiredCerts) ([]string, erro | |||||||
| 			dnsServers = strings.Join(certInfo.DNSServers, ",") | 			dnsServers = strings.Join(certInfo.DNSServers, ",") | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
|  | 		// Extract SANs from the existing PEM to ensure all domains are included | ||||||
|  | 		sanDomains, errSan := ExtractDomainsFromPEM(expiredCert.Filepath) | ||||||
|  | 		if errSan == nil && len(sanDomains) > 0 { | ||||||
|  | 			expiredCert.Domains = sanDomains | ||||||
|  | 			a.Logf("Using SANs from PEM for renewal: "+strings.Join(sanDomains, ","), nil) | ||||||
|  | 		} else { | ||||||
|  | 			a.Logf("Could not extract SANs from PEM for "+fileName+", using original domains", errSan) | ||||||
|  | 		} | ||||||
|  |  | ||||||
| 		_, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl, certInfo.SkipTLS, certInfo.UseDNS, certInfo.PropTimeout, dnsServers) | 		_, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl, certInfo.SkipTLS, certInfo.UseDNS, certInfo.PropTimeout, dnsServers) | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			a.Logf("Renew "+fileName+"("+strings.Join(expiredCert.Domains, ",")+") failed", err) | 			a.Logf("Renew "+fileName+"("+strings.Join(expiredCert.Domains, ",")+") failed", err) | ||||||
|   | |||||||
| @@ -7,6 +7,8 @@ import ( | |||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"os" | 	"os" | ||||||
| 	"time" | 	"time" | ||||||
|  | 	"strings" | ||||||
|  | 	"unicode" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| // Get the issuer name from pem file | // Get the issuer name from pem file | ||||||
| @@ -40,6 +42,8 @@ func ExtractDomains(certBytes []byte) ([]string, error) { | |||||||
| 	return []string{}, errors.New("decode cert bytes failed") | 	return []string{}, errors.New("decode cert bytes failed") | ||||||
| } | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| func ExtractIssuerName(certBytes []byte) (string, error) { | func ExtractIssuerName(certBytes []byte) (string, error) { | ||||||
| 	// Parse the PEM block | 	// Parse the PEM block | ||||||
| 	block, _ := pem.Decode(certBytes) | 	block, _ := pem.Decode(certBytes) | ||||||
| @@ -64,6 +68,20 @@ func ExtractIssuerName(certBytes []byte) (string, error) { | |||||||
| 	return issuer, nil | 	return issuer, nil | ||||||
| } | } | ||||||
|  |  | ||||||
|  | // ExtractDomainsFromPEM reads a PEM certificate file and returns all SANs | ||||||
|  | func ExtractDomainsFromPEM(pemFilePath string) ([]string, error) { | ||||||
|  |  | ||||||
|  | 	certBytes, err := os.ReadFile(pemFilePath) | ||||||
|  | 	if err != nil { | ||||||
|  | 			return nil, err | ||||||
|  | 	} | ||||||
|  | 	domains,err := ExtractDomains(certBytes) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  | 	return domains, nil | ||||||
|  | } | ||||||
|  |  | ||||||
| // Check if a cert is expired by public key | // Check if a cert is expired by public key | ||||||
| func CertIsExpired(certBytes []byte) bool { | func CertIsExpired(certBytes []byte) bool { | ||||||
| 	block, _ := pem.Decode(certBytes) | 	block, _ := pem.Decode(certBytes) | ||||||
| @@ -98,3 +116,52 @@ func CertExpireSoon(certBytes []byte, numberOfDays int) bool { | |||||||
| 	} | 	} | ||||||
| 	return false | 	return false | ||||||
| } | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | // NormalizeDomain cleans and validates a domain string. | ||||||
|  | // - Trims spaces around the domain | ||||||
|  | // - Converts to lowercase | ||||||
|  | // - Removes trailing dot (FQDN canonicalization) | ||||||
|  | // - Checks that the domain conforms to standard rules: | ||||||
|  | //   * Each label ≤ 63 characters | ||||||
|  | //   * Only letters, digits, and hyphens | ||||||
|  | //   * Labels do not start or end with a hyphen | ||||||
|  | //   * Labels must have >= 2 characters | ||||||
|  | //   * Full domain ≤ 253 characters | ||||||
|  | // Returns an empty string if the domain is invalid. | ||||||
|  | func NormalizeDomain(d string) (string, error) { | ||||||
|  | 	d = strings.TrimSpace(d) | ||||||
|  | 	d = strings.ToLower(d) | ||||||
|  | 	d = strings.TrimSuffix(d, ".") | ||||||
|  | 		 | ||||||
|  | 	if len(d) == 0 { | ||||||
|  | 		return "", errors.New("domain is empty") | ||||||
|  | 	} | ||||||
|  | 	if len(d) > 253 { | ||||||
|  | 		return "", errors.New("domain exceeds 253 characters") | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	labels := strings.Split(d, ".") | ||||||
|  | 	for _, label := range labels { | ||||||
|  | 		if len(label) == 0 { | ||||||
|  | 			return "", errors.New("Domain '" + d + "' not valid: Empty label") | ||||||
|  | 		} | ||||||
|  | 		if len(label) < 2 { | ||||||
|  | 			return "", errors.New("Domain '" + d + "' not valid: label '" + label + "' is too short") | ||||||
|  | 		} | ||||||
|  | 		if len(label) > 63 { | ||||||
|  | 			return "", errors.New("Domain not valid: label exceeds 63 characters") | ||||||
|  | 		} | ||||||
|  |  | ||||||
|  | 		for i, r := range label { | ||||||
|  | 			if !(unicode.IsLetter(r) || unicode.IsDigit(r) || r == '-') { | ||||||
|  | 				return "", errors.New("Domain '" + d + "' not valid: Invalid character '" + string(r) + "' in label") | ||||||
|  | 			} | ||||||
|  | 			if (i == 0 || i == len(label)-1) && r == '-' { | ||||||
|  | 				return "", errors.New("Domain '" + d + "' not valid: label '"+ label +"' starts or ends with hyphen") | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return d, nil | ||||||
|  | } | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 jimmyGALLAND
					jimmyGALLAND