mirror of
https://github.com/go-acme/lego.git
synced 2024-12-26 11:18:00 +02:00
Fix cert bundle order
This commit is contained in:
parent
51a95ee548
commit
2afea79309
@ -184,9 +184,9 @@ func (c *Client) RevokeCertificate(certificate []byte) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
x509Cert := certificates[len(certificates)-1]
|
x509Cert := certificates[0]
|
||||||
if x509Cert.IsCA {
|
if x509Cert.IsCA {
|
||||||
return fmt.Errorf("Certificate bundle ends with a CA certificate")
|
return fmt.Errorf("Certificate bundle starts with a CA certificate")
|
||||||
}
|
}
|
||||||
|
|
||||||
encodedCert := base64.URLEncoding.EncodeToString(x509Cert.Raw)
|
encodedCert := base64.URLEncoding.EncodeToString(x509Cert.Raw)
|
||||||
@ -225,9 +225,9 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund
|
|||||||
return CertificateResource{}, err
|
return CertificateResource{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
x509Cert := certificates[len(certificates)-1]
|
x509Cert := certificates[0]
|
||||||
if x509Cert.IsCA {
|
if x509Cert.IsCA {
|
||||||
return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle ends with a CA certificate", cert.Domain)
|
return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle starts with a CA certificate", cert.Domain)
|
||||||
}
|
}
|
||||||
|
|
||||||
// This is just meant to be informal for the user.
|
// This is just meant to be informal for the user.
|
||||||
@ -269,16 +269,15 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
|
// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
|
||||||
logger().Printf("[%s] Could not bundle issuer certificate.\n%v", cert.Domain, err)
|
logger().Printf("[%s] Could not bundle issuer certificate.\n%v", cert.Domain, err)
|
||||||
cert.Certificate = issuedCert
|
|
||||||
} else {
|
} else {
|
||||||
// Success - prepend the issuer cert to the issued cert.
|
// Success - append the issuer cert to the issued cert.
|
||||||
issuerCert = pemEncode(derCertificateBytes(issuerCert))
|
issuerCert = pemEncode(derCertificateBytes(issuerCert))
|
||||||
issuerCert = append(issuerCert, issuedCert...)
|
issuedCert = append(issuedCert, issuerCert...)
|
||||||
cert.Certificate = issuerCert
|
cert.Certificate = issuedCert
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
cert.Certificate = issuedCert
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cert.Certificate = issuedCert
|
||||||
return cert, nil
|
return cert, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -482,16 +481,14 @@ func (c *Client) requestCertificate(authz *authorizationResource, result chan Ce
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
|
// If we fail to aquire the issuer cert, return the issued certificate - do not fail.
|
||||||
logger().Printf("[%s] Could not bundle issuer certificate.\n%v", authz.Domain, err)
|
logger().Printf("[%s] Could not bundle issuer certificate.\n%v", authz.Domain, err)
|
||||||
cerRes.Certificate = issuedCert
|
|
||||||
} else {
|
} else {
|
||||||
// Success - prepend the issuer cert to the issued cert.
|
// Success - append the issuer cert to the issued cert.
|
||||||
issuerCert = pemEncode(derCertificateBytes(issuerCert))
|
issuerCert = pemEncode(derCertificateBytes(issuerCert))
|
||||||
issuerCert = append(issuerCert, issuedCert...)
|
issuedCert = append(issuedCert, issuerCert...)
|
||||||
cerRes.Certificate = issuerCert
|
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
cerRes.Certificate = issuedCert
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cerRes.Certificate = issuedCert
|
||||||
logger().Printf("[%s] Server responded with a certificate.", authz.Domain)
|
logger().Printf("[%s] Server responded with a certificate.", authz.Domain)
|
||||||
result <- cerRes
|
result <- cerRes
|
||||||
return
|
return
|
||||||
|
@ -61,17 +61,15 @@ func GetOCSPForCert(bundle []byte) ([]byte, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Insert it into the slice on position 0
|
// Insert it into the slice on position 0
|
||||||
// We want it ordered right CA -> CRT
|
// We want it ordered right SRV CRT -> CA
|
||||||
certificates = append(certificates, nil)
|
certificates = append(certificates, issuerCert)
|
||||||
copy(certificates[1:], certificates[0:])
|
|
||||||
certificates[0] = issuerCert
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// We expect the certificate slice to be ordered downwards the chain.
|
// We expect the certificate slice to be ordered downwards the chain.
|
||||||
// CA -> CRT. We need to pull the cert and issuer cert out of it, which should
|
// SRV CRT -> CA. We need to pull the cert and issuer cert out of it,
|
||||||
// always be the last two certificates.
|
// which should always be the last two certificates.
|
||||||
issuedCert := certificates[len(certificates)-1]
|
issuedCert := certificates[0]
|
||||||
issuerCert := certificates[len(certificates)-2]
|
issuerCert := certificates[1]
|
||||||
|
|
||||||
// Finally kick off the OCSP request.
|
// Finally kick off the OCSP request.
|
||||||
ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil)
|
ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil)
|
||||||
|
Loading…
Reference in New Issue
Block a user