forked from TrueCloudLab/lego
Fix cert bundle order
This commit is contained in:
parent
51a95ee548
commit
2afea79309
2 changed files with 19 additions and 24 deletions
|
@ -184,9 +184,9 @@ func (c *Client) RevokeCertificate(certificate []byte) error {
|
|||
return err
|
||||
}
|
||||
|
||||
x509Cert := certificates[len(certificates)-1]
|
||||
x509Cert := certificates[0]
|
||||
if x509Cert.IsCA {
|
||||
return fmt.Errorf("Certificate bundle ends with a CA certificate")
|
||||
return fmt.Errorf("Certificate bundle starts with a CA certificate")
|
||||
}
|
||||
|
||||
encodedCert := base64.URLEncoding.EncodeToString(x509Cert.Raw)
|
||||
|
@ -225,9 +225,9 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund
|
|||
return CertificateResource{}, err
|
||||
}
|
||||
|
||||
x509Cert := certificates[len(certificates)-1]
|
||||
x509Cert := certificates[0]
|
||||
if x509Cert.IsCA {
|
||||
return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle ends with a CA certificate", cert.Domain)
|
||||
return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle starts with a CA certificate", cert.Domain)
|
||||
}
|
||||
|
||||
// This is just meant to be informal for the user.
|
||||
|
@ -269,16 +269,15 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund
|
|||
if err != nil {
|
||||
// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
|
||||
logger().Printf("[%s] Could not bundle issuer certificate.\n%v", cert.Domain, err)
|
||||
cert.Certificate = issuedCert
|
||||
} else {
|
||||
// Success - prepend the issuer cert to the issued cert.
|
||||
// Success - append the issuer cert to the issued cert.
|
||||
issuerCert = pemEncode(derCertificateBytes(issuerCert))
|
||||
issuerCert = append(issuerCert, issuedCert...)
|
||||
cert.Certificate = issuerCert
|
||||
issuedCert = append(issuedCert, issuerCert...)
|
||||
cert.Certificate = issuedCert
|
||||
}
|
||||
} else {
|
||||
cert.Certificate = issuedCert
|
||||
}
|
||||
|
||||
cert.Certificate = issuedCert
|
||||
return cert, nil
|
||||
}
|
||||
|
||||
|
@ -482,16 +481,14 @@ func (c *Client) requestCertificate(authz *authorizationResource, result chan Ce
|
|||
if err != nil {
|
||||
// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
|
||||
logger().Printf("[%s] Could not bundle issuer certificate.\n%v", authz.Domain, err)
|
||||
cerRes.Certificate = issuedCert
|
||||
} else {
|
||||
// Success - prepend the issuer cert to the issued cert.
|
||||
// Success - append the issuer cert to the issued cert.
|
||||
issuerCert = pemEncode(derCertificateBytes(issuerCert))
|
||||
issuerCert = append(issuerCert, issuedCert...)
|
||||
cerRes.Certificate = issuerCert
|
||||
issuedCert = append(issuedCert, issuerCert...)
|
||||
}
|
||||
} else {
|
||||
cerRes.Certificate = issuedCert
|
||||
}
|
||||
|
||||
cerRes.Certificate = issuedCert
|
||||
logger().Printf("[%s] Server responded with a certificate.", authz.Domain)
|
||||
result <- cerRes
|
||||
return
|
||||
|
|
|
@ -61,17 +61,15 @@ func GetOCSPForCert(bundle []byte) ([]byte, error) {
|
|||
}
|
||||
|
||||
// Insert it into the slice on position 0
|
||||
// We want it ordered right CA -> CRT
|
||||
certificates = append(certificates, nil)
|
||||
copy(certificates[1:], certificates[0:])
|
||||
certificates[0] = issuerCert
|
||||
// We want it ordered right SRV CRT -> CA
|
||||
certificates = append(certificates, issuerCert)
|
||||
}
|
||||
|
||||
// We expect the certificate slice to be ordered downwards the chain.
|
||||
// CA -> CRT. We need to pull the cert and issuer cert out of it, which should
|
||||
// always be the last two certificates.
|
||||
issuedCert := certificates[len(certificates)-1]
|
||||
issuerCert := certificates[len(certificates)-2]
|
||||
// SRV CRT -> CA. We need to pull the cert and issuer cert out of it,
|
||||
// which should always be the last two certificates.
|
||||
issuedCert := certificates[0]
|
||||
issuerCert := certificates[1]
|
||||
|
||||
// Finally kick off the OCSP request.
|
||||
ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil)
|
||||
|
|
Loading…
Reference in a new issue