From c6c523e005803c02b8c678ca01f4e13dabccd0b4 Mon Sep 17 00:00:00 2001
From: dalun <me@dalun.tw>
Date: Wed, 13 Sep 2023 00:32:48 +0000
Subject: [PATCH 1/3] prevent out of range when check issuer exist

---
 src/mod/acme/autorenew.go | 14 --------------
 src/mod/acme/utils.go     |  5 +++++
 2 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/src/mod/acme/autorenew.go b/src/mod/acme/autorenew.go
index 13872fd..a608729 100644
--- a/src/mod/acme/autorenew.go
+++ b/src/mod/acme/autorenew.go
@@ -280,12 +280,6 @@ func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
 				}
 				if CertExpireSoon(certBytes) || CertIsExpired(certBytes) {
 					//This cert is expired
-					CAName, err := ExtractIssuerName(certBytes)
-					if err != nil {
-						//Maybe self signed. Ignore this
-						log.Println("Unable to extract issuer name for cert " + file.Name())
-						continue
-					}
 
 					DNSName, err := ExtractDomains(certBytes)
 					if err != nil {
@@ -296,7 +290,6 @@ func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
 
 					expiredCertList = append(expiredCertList, &ExpiredCerts{
 						Filepath: filepath.Join(certFolder, file.Name()),
-						CA:       CAName,
 						Domains:  DNSName,
 					})
 				}
@@ -315,12 +308,6 @@ func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
 				}
 				if CertExpireSoon(certBytes) || CertIsExpired(certBytes) {
 					//This cert is expired
-					CAName, err := ExtractIssuerName(certBytes)
-					if err != nil {
-						//Maybe self signed. Ignore this
-						log.Println("Unable to extract issuer name for cert " + file.Name())
-						continue
-					}
 
 					DNSName, err := ExtractDomains(certBytes)
 					if err != nil {
@@ -331,7 +318,6 @@ func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
 
 					expiredCertList = append(expiredCertList, &ExpiredCerts{
 						Filepath: filepath.Join(certFolder, file.Name()),
-						CA:       CAName,
 						Domains:  DNSName,
 					})
 				}
diff --git a/src/mod/acme/utils.go b/src/mod/acme/utils.go
index 40d873d..1638044 100644
--- a/src/mod/acme/utils.go
+++ b/src/mod/acme/utils.go
@@ -53,6 +53,11 @@ func ExtractIssuerName(certBytes []byte) (string, error) {
 		return "", fmt.Errorf("failed to parse certificate: %v", err)
 	}
 
+	// Check if exist incase some acme server didn't have org section
+	if len(cert.Issuer.Organization) == 0 {
+		return "", fmt.Errorf("cert didn't have org section exist")
+	}
+
 	// Extract the issuer name
 	issuer := cert.Issuer.Organization[0]
 

From 8a5004e8288b9d9e3fddd300039755e7545a1f26 Mon Sep 17 00:00:00 2001
From: dalun <me@dalun.tw>
Date: Wed, 13 Sep 2023 04:27:11 +0000
Subject: [PATCH 2/3] handle buypass issuer not match

---
 src/mod/acme/ca.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/mod/acme/ca.go b/src/mod/acme/ca.go
index 205771e..87f9fc4 100644
--- a/src/mod/acme/ca.go
+++ b/src/mod/acme/ca.go
@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"errors"
 	"log"
+	"strings"
 )
 
 // CA Defination, load from embeded json when startup
@@ -36,9 +37,15 @@ func init() {
 
 // Get the CA ACME server endpoint and error if not found
 func loadCAApiServerFromName(caName string) (string, error) {
+	// handle BuyPass cert org section (Buypass AS-983163327)
+	if strings.HasPrefix(caName, "Buypass AS") {
+		caName = "Buypass"
+	}
+
 	val, ok := caDef.Production[caName]
 	if !ok {
 		return "", errors.New("This CA is not supported")
 	}
+
 	return val, nil
 }

From 95892802fd05abae5540022a60d482d5a16816ea Mon Sep 17 00:00:00 2001
From: dalun <me@dalun.tw>
Date: Wed, 13 Sep 2023 04:28:33 +0000
Subject: [PATCH 3/3] use issuer org as failover for json file not exist

---
 src/mod/acme/autorenew.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/mod/acme/autorenew.go b/src/mod/acme/autorenew.go
index a608729..b5f1596 100644
--- a/src/mod/acme/autorenew.go
+++ b/src/mod/acme/autorenew.go
@@ -40,7 +40,6 @@ type AutoRenewer struct {
 type ExpiredCerts struct {
 	Domains  []string
 	Filepath string
-	CA       string
 }
 
 // Create an auto renew agent, require config filepath and auto scan & renew interval (seconds)
@@ -347,8 +346,14 @@ func (a *AutoRenewer) renewExpiredDomains(certs []*ExpiredCerts) ([]string, erro
 		certInfoFilename := fmt.Sprintf("%s/%s.json", filepath.Dir(expiredCert.Filepath), certName)
 		certInfo, err := loadCertInfoJSON(certInfoFilename)
 		if err != nil {
-			log.Printf("Renew %s certificate error, can't get the ACME detail for cert: %v, using default ACME", certName, err)
-			certInfo = &CertificateInfoJSON{}
+			log.Printf("Renew %s certificate error, can't get the ACME detail for cert: %v, trying org section as ca", certName, err)
+
+			if CAName, extractErr := ExtractIssuerNameFromPEM(expiredCert.Filepath); extractErr != nil {
+				log.Printf("extract issuer name for cert error: %v, using default ca", extractErr)
+				certInfo = &CertificateInfoJSON{}
+			} else {
+				certInfo = &CertificateInfoJSON{AcmeName: CAName}
+			}
 		}
 
 		_, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl, certInfo.SkipTLS)