From 60a4512abef6b6b3efe2282228ffc412e79357d4 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Tue, 2 May 2023 14:58:32 +0200 Subject: [PATCH] Add `/crl` and `/1.0/crl` to the insecure HTTP handler --- ca/ca.go | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/ca/ca.go b/ca/ca.go index 33f81200..fd6535a8 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -196,7 +196,11 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { api.Route(r) }) - //Add ACME api endpoints in /acme and /1.0/acme + // Mount the CRL to the insecure mux + insecureMux.Get("/crl", api.CRL) + insecureMux.Get("/1.0/crl", api.CRL) + + // Add ACME api endpoints in /acme and /1.0/acme dns := cfg.DNSNames[0] u, err := url.Parse("https://" + cfg.Address) if err != nil { @@ -276,6 +280,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { // helpful routine for logging all routes //dumpRoutes(mux) + //dumpRoutes(insecureMux) // Add monitoring if configured if len(cfg.Monitoring) > 0 { @@ -307,7 +312,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { // only start the insecure server if the insecure address is configured // and, currently, also only when it should serve SCEP endpoints. - if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" { + if ca.shouldServeInsecureServer() { // TODO: instead opt for having a single server.Server but two // http.Servers handling the HTTP and HTTPS handler? The latter // will probably introduce more complexity in terms of graceful @@ -321,6 +326,23 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { return ca, nil } +// shouldServeInsecureServer returns whether or not the insecure +// server should also be started. This is (currently) only the case +// if the insecure address has been configured AND when a SCEP +// provisioner is configured or when a CRL is configured. +func (ca *CA) shouldServeInsecureServer() bool { + switch { + case ca.config.InsecureAddress == "": + return false + case ca.shouldServeSCEPEndpoints(): + return true + case ca.config.CRL != nil && ca.config.CRL.Enabled: + return true + default: + return false + } +} + // buildContext builds the server base context. func buildContext(a *authority.Authority, scepAuthority *scep.Authority, acmeDB acme.DB, acmeLinker acme.Linker) context.Context { ctx := authority.NewContext(context.Background(), a)