Merge pull request #65 from daluntw/2.6.7

Fix the out of range problem when certificate auto renew
This commit is contained in:
Toby Chui 2023-09-13 17:21:29 +08:00 committed by GitHub
commit ed92cccf0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 17 deletions

View File

@ -40,7 +40,6 @@ type AutoRenewer struct {
type ExpiredCerts struct { type ExpiredCerts struct {
Domains []string Domains []string
Filepath string Filepath string
CA string
} }
// Create an auto renew agent, require config filepath and auto scan & renew interval (seconds) // Create an auto renew agent, require config filepath and auto scan & renew interval (seconds)
@ -280,12 +279,6 @@ func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
} }
if CertExpireSoon(certBytes) || CertIsExpired(certBytes) { if CertExpireSoon(certBytes) || CertIsExpired(certBytes) {
//This cert is expired //This cert is expired
CAName, err := ExtractIssuerName(certBytes)
if err != nil {
//Maybe self signed. Ignore this
log.Println("Unable to extract issuer name for cert " + file.Name())
continue
}
DNSName, err := ExtractDomains(certBytes) DNSName, err := ExtractDomains(certBytes)
if err != nil { if err != nil {
@ -296,7 +289,6 @@ func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
expiredCertList = append(expiredCertList, &ExpiredCerts{ expiredCertList = append(expiredCertList, &ExpiredCerts{
Filepath: filepath.Join(certFolder, file.Name()), Filepath: filepath.Join(certFolder, file.Name()),
CA: CAName,
Domains: DNSName, Domains: DNSName,
}) })
} }
@ -315,12 +307,6 @@ func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
} }
if CertExpireSoon(certBytes) || CertIsExpired(certBytes) { if CertExpireSoon(certBytes) || CertIsExpired(certBytes) {
//This cert is expired //This cert is expired
CAName, err := ExtractIssuerName(certBytes)
if err != nil {
//Maybe self signed. Ignore this
log.Println("Unable to extract issuer name for cert " + file.Name())
continue
}
DNSName, err := ExtractDomains(certBytes) DNSName, err := ExtractDomains(certBytes)
if err != nil { if err != nil {
@ -331,7 +317,6 @@ func (a *AutoRenewer) CheckAndRenewCertificates() ([]string, error) {
expiredCertList = append(expiredCertList, &ExpiredCerts{ expiredCertList = append(expiredCertList, &ExpiredCerts{
Filepath: filepath.Join(certFolder, file.Name()), Filepath: filepath.Join(certFolder, file.Name()),
CA: CAName,
Domains: DNSName, Domains: DNSName,
}) })
} }
@ -361,8 +346,14 @@ func (a *AutoRenewer) renewExpiredDomains(certs []*ExpiredCerts) ([]string, erro
certInfoFilename := fmt.Sprintf("%s/%s.json", filepath.Dir(expiredCert.Filepath), certName) certInfoFilename := fmt.Sprintf("%s/%s.json", filepath.Dir(expiredCert.Filepath), certName)
certInfo, err := loadCertInfoJSON(certInfoFilename) certInfo, err := loadCertInfoJSON(certInfoFilename)
if err != nil { if err != nil {
log.Printf("Renew %s certificate error, can't get the ACME detail for cert: %v, using default ACME", certName, err) log.Printf("Renew %s certificate error, can't get the ACME detail for cert: %v, trying org section as ca", certName, err)
certInfo = &CertificateInfoJSON{}
if CAName, extractErr := ExtractIssuerNameFromPEM(expiredCert.Filepath); extractErr != nil {
log.Printf("extract issuer name for cert error: %v, using default ca", extractErr)
certInfo = &CertificateInfoJSON{}
} else {
certInfo = &CertificateInfoJSON{AcmeName: CAName}
}
} }
_, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl, certInfo.SkipTLS) _, err = a.AcmeHandler.ObtainCert(expiredCert.Domains, certName, a.RenewerConfig.Email, certInfo.AcmeName, certInfo.AcmeUrl, certInfo.SkipTLS)

View File

@ -10,6 +10,7 @@ import (
"encoding/json" "encoding/json"
"errors" "errors"
"log" "log"
"strings"
) )
// CA Defination, load from embeded json when startup // CA Defination, load from embeded json when startup
@ -36,9 +37,15 @@ func init() {
// Get the CA ACME server endpoint and error if not found // Get the CA ACME server endpoint and error if not found
func loadCAApiServerFromName(caName string) (string, error) { func loadCAApiServerFromName(caName string) (string, error) {
// handle BuyPass cert org section (Buypass AS-983163327)
if strings.HasPrefix(caName, "Buypass AS") {
caName = "Buypass"
}
val, ok := caDef.Production[caName] val, ok := caDef.Production[caName]
if !ok { if !ok {
return "", errors.New("This CA is not supported") return "", errors.New("This CA is not supported")
} }
return val, nil return val, nil
} }

View File

@ -53,6 +53,11 @@ func ExtractIssuerName(certBytes []byte) (string, error) {
return "", fmt.Errorf("failed to parse certificate: %v", err) return "", fmt.Errorf("failed to parse certificate: %v", err)
} }
// Check if exist incase some acme server didn't have org section
if len(cert.Issuer.Organization) == 0 {
return "", fmt.Errorf("cert didn't have org section exist")
}
// Extract the issuer name // Extract the issuer name
issuer := cert.Issuer.Organization[0] issuer := cert.Issuer.Organization[0]