From 479eda73397a98f729c87b0253b7684921c251ba Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Thu, 19 May 2022 01:25:30 +0200 Subject: [PATCH] Improve error message when client renews with expired certificate When a client provides an expired certificate and `AllowAfterExpiry` is not enabled, the client would get a rather generic error with instructions to view the CA logs. Viewing the CA logs can be done when running `step-ca`, but they can't be accessed easily in the hosted solution. This commit returns a slightly more informational message to the client in this specific situation. --- authority/provisioner/controller.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/authority/provisioner/controller.go b/authority/provisioner/controller.go index 0ca40267..063ab50c 100644 --- a/authority/provisioner/controller.go +++ b/authority/provisioner/controller.go @@ -3,6 +3,7 @@ package provisioner import ( "context" "crypto/x509" + "net/http" "regexp" "strings" "time" @@ -131,7 +132,9 @@ func DefaultAuthorizeRenew(ctx context.Context, p *Controller, cert *x509.Certif return errs.Unauthorized("certificate is not yet valid" + " " + now.UTC().Format(time.RFC3339Nano) + " vs " + cert.NotBefore.Format(time.RFC3339Nano)) } if now.After(cert.NotAfter) && !p.Claimer.AllowRenewalAfterExpiry() { - return errs.Unauthorized("certificate has expired") + // return a custom 401 Unauthorized error with a clearer message for the client + // TODO(hs): these errors likely need to be refactored as a whole; HTTP status codes shouldn't be in this layer. + return errs.New(http.StatusUnauthorized, "The request lacked necessary authorization to be completed: certificate expired on %s", cert.NotAfter) } return nil