From af826ff45707d07502fa6cab7e358f91f6e8bf61 Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Sat, 20 Apr 2024 17:02:25 +0200 Subject: [PATCH] reworked cert issuing --- src/pki/acme.go | 23 ++++++++++++++++------ src/pkiws/server.go | 2 +- src/pkiws/serverhandle.go | 41 +++++++++++++++++++-------------------- 3 files changed, 38 insertions(+), 28 deletions(-) diff --git a/src/pki/acme.go b/src/pki/acme.go index 7d32fe8..4ccdb9e 100644 --- a/src/pki/acme.go +++ b/src/pki/acme.go @@ -66,15 +66,26 @@ func (u *User) HandleRegistration(cfg *config.Config, client *lego.Client) (err } // RequestNewCert returns a newly requested certificate to letsencrypt -func (u *User) RequestNewCert(cfg *config.Config, domainname *string) (certs *certificate.Resource, err error) { +func (u *User) RequestNewCert(cfg *config.Config, domainnames *[]string) (certs *certificate.Resource, err error) { legoconfig := lego.NewConfig(u) legoconfig.CADirURL = cfg.ACME.AuthURL legoconfig.Certificate.KeyType = certcrypto.RSA2048 - dom := domain.Domain{Domain: *domainname} - _, err = cfg.Db.Get(&dom) - if err != nil { - log.Println(err) + var dom domain.Domain + var has bool + for _, d := range *domainnames { + dom = domain.Domain{Domain: d} + if has, err = cfg.Db.Get(&dom); has { + break + } + if err != nil { + log.Println(err) + } + } + + if !has { + err = fmt.Errorf("supplied domain not in allow domains") + return } var provider challenge.Provider @@ -110,7 +121,7 @@ func (u *User) RequestNewCert(cfg *config.Config, domainname *string) (certs *ce } request := certificate.ObtainRequest{ - Domains: []string{*domainname, fmt.Sprintf(`*.%s`, *domainname)}, + Domains: *domainnames, Bundle: true, } diff --git a/src/pkiws/server.go b/src/pkiws/server.go index 87e5e45..a900a25 100644 --- a/src/pkiws/server.go +++ b/src/pkiws/server.go @@ -30,7 +30,7 @@ func RunServer(cfg *config.Config) (err error) { return c.String(http.StatusOK, "Welcome to PKI software (https://git.paulbsd.com/paulbsd/pki)") }) e.POST("/cert", func(c echo.Context) (err error) { - var request EntryRequest + var request = new(EntryRequest) var result = make(map[string]EntryResponse) err = c.Bind(&request) if err != nil { diff --git a/src/pkiws/serverhandle.go b/src/pkiws/serverhandle.go index 07962ff..dc1f623 100644 --- a/src/pkiws/serverhandle.go +++ b/src/pkiws/serverhandle.go @@ -25,31 +25,30 @@ func GetCertificate(cfg *config.Config, user *pki.User, domains *[]string) (resu } result = make(map[string]EntryResponse) - for _, domain := range *domains { - entry, err := user.GetEntry(cfg, &domain) + firstdomain := (*domains)[0] + entry, err := user.GetEntry(cfg, &firstdomain) + if err != nil { + certs, err := user.RequestNewCert(cfg, domains) if err != nil { - certs, err := user.RequestNewCert(cfg, &domain) - if err != nil { - log.Printf("Error fetching new certificate %s\n", err) - return result, err - } - NotBefore, NotAfter, err := GetDates(certs.Certificate) - if err != nil { - log.Println("Error where parsing dates") - return result, err - } - entry := cert.Entry{Domain: certs.Domain, - Certificate: string(certs.Certificate), - PrivateKey: string(certs.PrivateKey), - ValidityBegin: NotBefore, - ValidityEnd: NotAfter, - AuthURL: cfg.ACME.AuthURL} - cfg.Db.Insert(&entry) - result[domain] = convertEntryToResponse(entry) + log.Printf("Error fetching new certificate %s\n", err) return result, err } - result[domain] = convertEntryToResponse(entry) + NotBefore, NotAfter, err := GetDates(certs.Certificate) + if err != nil { + log.Println("Error where parsing dates") + return result, err + } + entry := cert.Entry{Domain: certs.Domain, + Certificate: string(certs.Certificate), + PrivateKey: string(certs.PrivateKey), + ValidityBegin: NotBefore, + ValidityEnd: NotAfter, + AuthURL: cfg.ACME.AuthURL} + cfg.Db.Insert(&entry) + result[firstdomain] = convertEntryToResponse(entry) + return result, err } + result[firstdomain] = convertEntryToResponse(entry) return }