jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

reverseproxy: compare the cert path on cert renewal

Browse Source 
fqdn will not match for wildcard certs
This commit is contained in:
Girish Ramakrishnan
2022-11-13 18:03:39 +01:00
parent 5447181e41
commit 8b43d43e35
1 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/reverseproxy.js
View File

@@ -256,7 +256,7 @@ function getUserCertificatePathSync(fqdn) {
return { certFilePath, keyFilePath };
}
function getAcmeCertificateName(fqdn, domainObject) {
function getAcmeCertificateNameSync(fqdn, domainObject) {
assert.strictEqual(typeof fqdn, 'string'); // this can contain wildcard domain (for alias domains)
assert.strictEqual(typeof domainObject, 'object');
@@ -271,7 +271,7 @@ function getAcmeCertificatePathSync(fqdn, domainObject) {
assert.strictEqual(typeof fqdn, 'string'); // this can contain wildcard domain (for alias domains)
assert.strictEqual(typeof domainObject, 'object');
const certName = getAcmeCertificateName(fqdn, domainObject);
const certName = getAcmeCertificateNameSync(fqdn, domainObject);
const certFilePath = path.join(paths.NGINX_CERT_DIR, `${certName}.cert`);
const keyFilePath = path.join(paths.NGINX_CERT_DIR, `${certName}.key`);
const csrFilePath = path.join(paths.NGINX_CERT_DIR, `${certName}.csr`);
@@ -318,7 +318,7 @@ async function getAcmeCertificate(fqdn, domainObject) {
assert.strictEqual(typeof fqdn, 'string'); // this can contain wildcard domain (for alias domains)
assert.strictEqual(typeof domainObject, 'object');
const certName = getAcmeCertificateName(fqdn, domainObject);
const certName = getAcmeCertificateNameSync(fqdn, domainObject);
const privateKey = await blobs.get(`${blobs.CERT_PREFIX}-${certName}.key`);
const cert = await blobs.get(`${blobs.CERT_PREFIX}-${certName}.cert`);
@@ -332,7 +332,7 @@ async function writeAcmeCertificate(fqdn, domainObject) {
assert.strictEqual(typeof fqdn, 'string'); // this can contain wildcard domain (for alias domains)
assert.strictEqual(typeof domainObject, 'object');
const certName = getAcmeCertificateName(fqdn, domainObject);
const certName = getAcmeCertificateNameSync(fqdn, domainObject);
const privateKey = await blobs.get(`${blobs.CERT_PREFIX}-${certName}.key`);
const cert = await blobs.get(`${blobs.CERT_PREFIX}-${certName}.cert`);
const csr = await blobs.get(`${blobs.CERT_PREFIX}-${certName}.csr`);
@@ -362,7 +362,7 @@ async function updateCertBlobs(fqdn, domainObject) {
const csr = safe.fs.readFileSync(csrFilePath);
if (!csr) throw new BoxError(BoxError.FS_ERROR, `Failed to read csr: ${safe.error.message}`);
const certName = getAcmeCertificateName(fqdn, domainObject);
const certName = getAcmeCertificateNameSync(fqdn, domainObject);
await blobs.set(`${blobs.CERT_PREFIX}-${certName}.key`, privateKey);
await blobs.set(`${blobs.CERT_PREFIX}-${certName}.cert`, cert);
await blobs.set(`${blobs.CERT_PREFIX}-${certName}.csr`, csr);
@@ -397,16 +397,16 @@ async function renewCert(fqdn, domainObject) {
await safe(updateCertBlobs(fqdn, domainObject));
}
if (settings.mailFqdn() === fqdn) {
debug('renewCert: restarting mail container');
if (domainObject.domain === settings.mailDomain() && getAcmeCertificatePathSync(settings.mailFqdn(), domainObject).certFilePath === acmePaths.certFilePath) {
debug('renewCert: mail certificate changed');
const [restartError] = await safe(mail.handleCertChanged());
if (restartError) debug(`renewCert: error restarting mail container on cert change: ${restartError.message}`);
if (restartError) debug(`renewCert: error updating mail container on cert change: ${restartError.message}`);
}
if (settings.dashboardFqdn() === fqdn) {
debug('renewCert: restarting directory server');
if (domainObject.domain === settings.dashboardDomain() && getAcmeCertificatePathSync(settings.dashboardFqdn(), domainObject).certFilePath === acmePaths.certFilePath) {
debug('renewCert: directory server certificate changed');
const [restartError] = await safe(directoryServer.handleCertChanged());
if (restartError) debug(`renewCert: error restarting directory server on cert change: ${restartError.message}`);
if (restartError) debug(`renewCert: error updating directory server on cert change: ${restartError.message}`);
}
}
@@ -674,7 +674,7 @@ async function renewCerts(options, auditSource, progressCallback) {
if (await needsRenewal(location.fqdn, domainObject)) {
await renewCert(location.fqdn, domainObject);
renewedCertificateNames.push(getAcmeCertificateName(location.fqdn, domainObject));
renewedCertificateNames.push(getAcmeCertificateNameSync(location.fqdn, domainObject));
} else {
progressCallback({ message: `Cert of ${location.fqdn} does not require renewal` });
}
@@ -688,7 +688,7 @@ async function renewCerts(options, auditSource, progressCallback) {
for (const app of allApps) {
if (!app.manifest.addons?.tls) continue;
const addonCertificateName = getAcmeCertificateName(app.fqdn, domainObjectMap[app.domain]);
const addonCertificateName = getAcmeCertificateNameSync(app.fqdn, domainObjectMap[app.domain]);
if (renewedCertificateNames.includes(addonCertificateName)) await apps.restart(app, auditSource);
}
}