Improve error message when client renews with expired certificate

When a client provides an expired certificate and `AllowAfterExpiry`
is not enabled, the client would get a rather generic error with
instructions to view the CA logs. Viewing the CA logs can be done
when running `step-ca`, but they can't be accessed easily in the
hosted solution.

This commit returns a slightly more informational message to the
client in this specific situation.
This commit is contained in:
Herman Slatman 2022-05-19 01:25:30 +02:00
parent 14524d7916
commit 479eda7339
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F

View file

@ -3,6 +3,7 @@ package provisioner
import ( import (
"context" "context"
"crypto/x509" "crypto/x509"
"net/http"
"regexp" "regexp"
"strings" "strings"
"time" "time"
@ -131,7 +132,9 @@ func DefaultAuthorizeRenew(ctx context.Context, p *Controller, cert *x509.Certif
return errs.Unauthorized("certificate is not yet valid" + " " + now.UTC().Format(time.RFC3339Nano) + " vs " + cert.NotBefore.Format(time.RFC3339Nano)) return errs.Unauthorized("certificate is not yet valid" + " " + now.UTC().Format(time.RFC3339Nano) + " vs " + cert.NotBefore.Format(time.RFC3339Nano))
} }
if now.After(cert.NotAfter) && !p.Claimer.AllowRenewalAfterExpiry() { if now.After(cert.NotAfter) && !p.Claimer.AllowRenewalAfterExpiry() {
return errs.Unauthorized("certificate has expired") // return a custom 401 Unauthorized error with a clearer message for the client
// TODO(hs): these errors likely need to be refactored as a whole; HTTP status codes shouldn't be in this layer.
return errs.New(http.StatusUnauthorized, "The request lacked necessary authorization to be completed: certificate expired on %s", cert.NotAfter)
} }
return nil return nil