pages/pages-server
1
0
Fork 0
mirror of https://codeberg.org/Codeberg/pages-server.git synced 2025-04-24 22:06:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix leaf nil reference

Browse source
This commit is contained in:
crapStone 2024-04-30 23:18:10 +02:00 committed by crapStone
parent 3566fd62b8
commit a8f6bbda85
2 changed files with 39 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.lock generated
View file

@ -19,11 +19,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1714030708, "lastModified": 1714314149,
"narHash": "sha256-JOGPOxa8N6ySzB7SQBsh0OVz+UXZriyahgvfNHMIY0Y=", "narHash": "sha256-yNAevSKF4krRWacmLUsLK7D7PlfuY3zF0lYnGYNi9vQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b0d52b31f7f4d80f8bf38f0253652125579c35ff", "rev": "cf8cc1201be8bc71b7cbbbdaf349b22f4f99c7ae",
"type": "github" "type": "github"
}, },
"original": { "original": {

50
server/certificates/certificates.go
View file

@ -37,7 +37,7 @@ func TLSConfig(mainDomainSuffix string,
noDNS01 bool, noDNS01 bool,
rawDomain string, rawDomain string,
) *tls.Config { ) *tls.Config {
keyCache, err := lru.New[string, tls.Certificate](32) keyCache, err := lru.New[string, *tls.Certificate](32)
if err != nil { if err != nil {
panic(err) // This should only happen if 32 < 0 at the time of writing, which should be reason enough to panic. panic(err) // This should only happen if 32 < 0 at the time of writing, which should be reason enough to panic.
} }
@ -112,12 +112,21 @@ func TLSConfig(mainDomainSuffix string,
} }
if tlsCertificate, ok := keyCache.Get(domain); ok { if tlsCertificate, ok := keyCache.Get(domain); ok {
if shouldRenewCert(&tlsCertificate, 7) { if tlsCertificate.Leaf == nil {
log.Error().Msg("Leaf is nil")
tlsCertificate.Leaf, err = x509.ParseCertificate(tlsCertificate.Certificate[0])
if err != nil {
return nil, fmt.Errorf("error parsing leaf tlsCert: %w", err)
}
}
// if Leaf == nil the certificate can't be in the cache for a long time so we just ignore it
if tlsCertificate.Leaf != nil && tlsCertificate.Leaf.NotAfter.Before(time.Now().Add(7*24*time.Hour)) {
// if cert is up for renewal remove it from the cache // if cert is up for renewal remove it from the cache
keyCache.Remove(domain) keyCache.Remove(domain)
} else { } else {
log.Error().Msg("Cert is not expired")
// we can use an existing certificate object // we can use an existing certificate object
return &tlsCertificate, nil return tlsCertificate, nil
} }
} }
@ -143,7 +152,7 @@ func TLSConfig(mainDomainSuffix string,
} }
} }
keyCache.Add(domain, *tlsCertificate) keyCache.Add(domain, tlsCertificate)
return tlsCertificate, nil return tlsCertificate, nil
}, },
NextProtos: []string{ NextProtos: []string{
@ -195,13 +204,13 @@ func (c *AcmeClient) retrieveCertFromDB(sni, mainDomainSuffix string, useDnsProv
// TODO: document & put into own function // TODO: document & put into own function
if !strings.EqualFold(sni, mainDomainSuffix) { if !strings.EqualFold(sni, mainDomainSuffix) {
tlsCertificate.Leaf, err = x509.ParseCertificate(tlsCertificate.Certificate[0]) tlsCertificate.Leaf, err = leaf(&tlsCertificate)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing leaf tlsCert: %w", err) return nil, err
} }
// renew certificates 7 days before they expire // renew certificates 7 days before they expire
if shouldRenewCert(&tlsCertificate, 7) { if tlsCertificate.Leaf.NotAfter.Before(time.Now().Add(7 * 24 * time.Hour)) {
// TODO: use ValidTill of custom cert struct // TODO: use ValidTill of custom cert struct
if res.CSR != nil && len(res.CSR) > 0 { if res.CSR != nil && len(res.CSR) > 0 {
// CSR stores the time when the renewal shall be tried again // CSR stores the time when the renewal shall be tried again
@ -237,6 +246,10 @@ func (c *AcmeClient) obtainCert(acmeClient *lego.Client, domains []string, renew
if err != nil { if err != nil {
return nil, fmt.Errorf("certificate failed in synchronous request: %w", err) return nil, fmt.Errorf("certificate failed in synchronous request: %w", err)
} }
cert.Leaf, err = leaf(cert)
if err != nil {
return nil, err
}
return cert, nil return cert, nil
} }
defer c.obtainLocks.Delete(name) defer c.obtainLocks.Delete(name)
@ -300,6 +313,7 @@ func (c *AcmeClient) obtainCert(acmeClient *lego.Client, domains []string, renew
} }
leaf, err := leaf(&tlsCertificate) leaf, err := leaf(&tlsCertificate)
if err == nil && leaf.NotAfter.After(time.Now()) { if err == nil && leaf.NotAfter.After(time.Now()) {
tlsCertificate.Leaf = leaf
// avoid sending a mock cert instead of a still valid cert, instead abuse CSR field to store time to try again at // avoid sending a mock cert instead of a still valid cert, instead abuse CSR field to store time to try again at
renew.CSR = []byte(strconv.FormatInt(time.Now().Add(6*time.Hour).Unix(), 10)) renew.CSR = []byte(strconv.FormatInt(time.Now().Add(6*time.Hour).Unix(), 10))
if err := keyDatabase.Put(name, renew); err != nil { if err := keyDatabase.Put(name, renew); err != nil {
@ -323,6 +337,10 @@ func (c *AcmeClient) obtainCert(acmeClient *lego.Client, domains []string, renew
if err != nil { if err != nil {
return nil, err return nil, err
} }
tlsCertificate.Leaf, err = leaf(&tlsCertificate)
if err != nil {
return nil, err
}
return &tlsCertificate, nil return &tlsCertificate, nil
} }
@ -343,11 +361,6 @@ func SetupMainDomainCertificates(mainDomainSuffix string, acmeClient *AcmeClient
return nil return nil
} }
// shouldRenewCert returns true if the validity date of the cert is less than the given number of days in the future
func shouldRenewCert(cert *tls.Certificate, days uint) bool {
return cert.Leaf.NotAfter.Before(time.Now().Add(time.Duration(days) * 24 * time.Hour))
}
func MaintainCertDB(ctx context.Context, interval time.Duration, acmeClient *AcmeClient, mainDomainSuffix string, certDB database.CertDB) { func MaintainCertDB(ctx context.Context, interval time.Duration, acmeClient *AcmeClient, mainDomainSuffix string, certDB database.CertDB) {
for { for {
// delete expired certs that will be invalid until next clean up // delete expired certs that will be invalid until next clean up
@ -402,11 +415,20 @@ func MaintainCertDB(ctx context.Context, interval time.Duration, acmeClient *Acm
} }
} }
// leaf returns the parsed leaf certificate, either from c.leaf or by parsing // leaf returns the parsed leaf certificate, either from c.Leaf or by parsing
// the corresponding c.Certificate[0]. // the corresponding c.Certificate[0].
// After successfuly parsing the cert c.Leaf gets set to the parsed cert.
func leaf(c *tls.Certificate) (*x509.Certificate, error) { func leaf(c *tls.Certificate) (*x509.Certificate, error) {
if c.Leaf != nil { if c.Leaf != nil {
return c.Leaf, nil return c.Leaf, nil
} }
return x509.ParseCertificate(c.Certificate[0])
leaf, err := x509.ParseCertificate(c.Certificate[0])
if err != nil {
return nil, fmt.Errorf("tlsCert - failed to parse leaf: %w", err)
}
c.Leaf = leaf
return leaf, err
} }