From 2d385d3f41980756fc335db9e657db16ad7549f7 Mon Sep 17 00:00:00 2001 From: xenolf Date: Tue, 15 Dec 2015 21:10:47 +0100 Subject: [PATCH 1/3] CLI: renew only the first domain (CommonName) --- cli_handlers.go | 104 +++++++++++++++++++++++++----------------------- 1 file changed, 54 insertions(+), 50 deletions(-) diff --git a/cli_handlers.go b/cli_handlers.go index b330753f..5f424466 100644 --- a/cli_handlers.go +++ b/cli_handlers.go @@ -172,55 +172,59 @@ func revoke(c *cli.Context) { func renew(c *cli.Context) { conf, _, client := setup(c) - - for _, domain := range c.GlobalStringSlice("domains") { - // load the cert resource from files. - // We store the certificate, private key and metadata in different files - // as web servers would not be able to work with a combined file. - certPath := path.Join(conf.CertPath(), domain+".crt") - privPath := path.Join(conf.CertPath(), domain+".key") - metaPath := path.Join(conf.CertPath(), domain+".json") - - certBytes, err := ioutil.ReadFile(certPath) - if err != nil { - logger().Fatalf("Error while loading the certificate for domain %s\n\t%s", domain, err.Error()) - } - - if c.IsSet("days") { - expTime, err := acme.GetPEMCertExpiration(certBytes) - if err != nil { - logger().Printf("Could not get Certification expiration for domain %s", domain) - } - - if int(expTime.Sub(time.Now()).Hours()/24.0) <= c.Int("days") { - continue - } - } - - keyBytes, err := ioutil.ReadFile(privPath) - if err != nil { - logger().Fatalf("Error while loading the private key for domain %s\n\t%s", domain, err.Error()) - } - - metaBytes, err := ioutil.ReadFile(metaPath) - if err != nil { - logger().Fatalf("Error while loading the meta data for domain %s\n\t%s", domain, err.Error()) - } - - var certRes acme.CertificateResource - err = json.Unmarshal(metaBytes, &certRes) - if err != nil { - logger().Fatalf("Error while marshalling the meta data for domain %s\n\t%s", domain, err.Error()) - } - - certRes.PrivateKey = keyBytes - certRes.Certificate = certBytes - - newCert, err := client.RenewCertificate(certRes, true, true) - if err != nil { - logger().Fatalf("%s", err.Error()) - } - - saveCertRes(newCert, conf) + + if len(c.GlobalStringSlice("domains")) <= 0 { + logger().Fatal("Please specify at least one domain.") } + + domain := c.GlobalStringSlice("domains")[0] + + // load the cert resource from files. + // We store the certificate, private key and metadata in different files + // as web servers would not be able to work with a combined file. + certPath := path.Join(conf.CertPath(), domain+".crt") + privPath := path.Join(conf.CertPath(), domain+".key") + metaPath := path.Join(conf.CertPath(), domain+".json") + + certBytes, err := ioutil.ReadFile(certPath) + if err != nil { + logger().Fatalf("Error while loading the certificate for domain %s\n\t%s", domain, err.Error()) + } + + if c.IsSet("days") { + expTime, err := acme.GetPEMCertExpiration(certBytes) + if err != nil { + logger().Printf("Could not get Certification expiration for domain %s", domain) + } + + if int(expTime.Sub(time.Now()).Hours() / 24.0) <= c.Int("days") { + return + } + } + + keyBytes, err := ioutil.ReadFile(privPath) + if err != nil { + logger().Fatalf("Error while loading the private key for domain %s\n\t%s", domain, err.Error()) + } + + metaBytes, err := ioutil.ReadFile(metaPath) + if err != nil { + logger().Fatalf("Error while loading the meta data for domain %s\n\t%s", domain, err.Error()) + } + + var certRes acme.CertificateResource + err = json.Unmarshal(metaBytes, &certRes) + if err != nil { + logger().Fatalf("Error while marshalling the meta data for domain %s\n\t%s", domain, err.Error()) + } + + certRes.PrivateKey = keyBytes + certRes.Certificate = certBytes + + newCert, err := client.RenewCertificate(certRes, true, true) + if err != nil { + logger().Fatalf("%s", err.Error()) + } + + saveCertRes(newCert, conf) } From 5930ea52f0311bde21a68895d72a84e3fbc1db4d Mon Sep 17 00:00:00 2001 From: xenolf Date: Tue, 15 Dec 2015 21:12:09 +0100 Subject: [PATCH 2/3] lib: make renew aware of SAN --- acme/client.go | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/acme/client.go b/acme/client.go index 714b22af..0fef85f3 100644 --- a/acme/client.go +++ b/acme/client.go @@ -368,7 +368,24 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund return cert, nil } - newCerts, failures := c.ObtainCertificates([]string{cert.Domain}, bundle) + var domains []string + newCerts := make([]CertificateResource, 1) + var failures map[string]error + // check for SAN certificate + if len(x509Cert.DNSNames) > 1 { + domains = append(domains, x509Cert.Subject.CommonName) + for _, sanDomain := range x509Cert.DNSNames { + if sanDomain == x509Cert.Subject.CommonName { + continue + } + domains = append(domains, sanDomain) + newCerts[0], failures = c.ObtainSANCertificate(domains, bundle) + } + } else { + domains = append(domains, x509Cert.Subject.CommonName) + newCerts, failures = c.ObtainCertificates(domains, bundle) + } + if len(failures) > 0 { return CertificateResource{}, failures[cert.Domain] } From 136cc73ff806b8d54dda068d330106835ddf1b8e Mon Sep 17 00:00:00 2001 From: xenolf Date: Wed, 16 Dec 2015 11:23:38 +0100 Subject: [PATCH 3/3] Move call to ObtainSANCertificate --- acme/client.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme/client.go b/acme/client.go index 0fef85f3..8c7e644f 100644 --- a/acme/client.go +++ b/acme/client.go @@ -379,8 +379,8 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund continue } domains = append(domains, sanDomain) - newCerts[0], failures = c.ObtainSANCertificate(domains, bundle) } + newCerts[0], failures = c.ObtainSANCertificate(domains, bundle) } else { domains = append(domains, x509Cert.Subject.CommonName) newCerts, failures = c.ObtainCertificates(domains, bundle)