-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: new cert issuing is incorrectly delayed #998
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -69,7 +69,7 @@ func isCertificateExpired(c *tls.Certificate) bool { | |
} | ||
|
||
// If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate. | ||
return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(-time.Minute)) | ||
return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(time.Minute*2)) | ||
} | ||
|
||
func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) { | ||
|
@@ -122,6 +122,9 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli | |
cert := certificate | ||
if !isCertificateExpired(&cert) { | ||
newCerts = append(newCerts, cert) | ||
} else if cert.Leaf != nil { | ||
expTime := cert.Leaf.NotAfter.Format(time.RFC3339) | ||
newError("old certificate for ", domain, " (expire on ", expTime, ") revoked").AtInfo().WriteToLog() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Revoke 在CA语境下有一个特别的含义。在截至日期前失去信任才是 Revoke,现在这个到截止日期了才删除,我合并后换一个单词吧。 https://en.wikipedia.org/wiki/Certificate_revocation_list There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 现在正是在证书Expire之前2分钟就将证书废止,所以我才用了Revoke一词。其实真正需要更改的是 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 我仔细考虑了一下,由于CRL的缺失,这个废止仅在服务端生效,客户端在证书到期前其实依旧能够继续使用,因此revoke一词确实不够准确,或许换成discard更合适。 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 嗯,总之我合并的时候会改一下的。 |
||
} | ||
} | ||
|
||
|
@@ -139,6 +142,14 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli | |
newError("failed to issue new certificate for ", domain).Base(err).WriteToLog() | ||
continue | ||
} | ||
parsed, err := x509.ParseCertificate(newCert.Certificate[0]) | ||
if err == nil { | ||
newCert.Leaf = parsed | ||
expTime := parsed.NotAfter.Format(time.RFC3339) | ||
newError("new certificate for ", domain, " (expire on ", expTime, ") issued").AtInfo().WriteToLog() | ||
} else { | ||
newError("failed to parse new certificate for ", domain).Base(err).WriteToLog() | ||
} | ||
|
||
access.Lock() | ||
c.Certificates = append(c.Certificates, *newCert) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
这里感觉没有问题,修复了之前的一个bug。