feat: Potentially handle renewing certificates

2024-01-01 14:47:13 +01:00 · 2024-01-01 14:47:13 +01:00 · d0a24a60ed
commit d0a24a60ed
parent 3af3f6bb7e
5 changed files with 57 additions and 20 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,5 @@
-./rio
+# Artificats
+rio
+
+# Testing stuff
+*.json
--- a/internal/certificates/certificate.go
+++ b/internal/certificates/certificate.go
@ -18,6 +18,35 @@ import (
 	"github.com/go-acme/lego/v4/lego"
 )

+func RenewCertificate(old *CertificateWrapper, acmeClient *lego.Client) (CertificateWrapper, error) {
+	pk, _ := base64.StdEncoding.DecodeString(old.PrivateKeyEncoded)
+	res := certificate.Resource{
+		PrivateKey:  pk,
+		Certificate: old.Certificate,
+		CSR:         old.CSR,
+	}
+
+	new, err := acmeClient.Certificate.Renew(res, true, false, "")
+	if err != nil {
+		return CertificateWrapper{}, err
+	}
+
+	// Convert the new certificate into a wrapper struct
+	tlsCert, err := tls.X509KeyPair(new.Certificate, new.PrivateKey)
+	if err != nil {
+		return CertificateWrapper{}, err
+	}
+	wrapper := CertificateWrapper{
+		TlsCertificate:    &tlsCert,
+		Domain:            old.Domain,
+		NotAfter:          time.Now().Add(time.Hour * 24 * 60),
+		PrivateKeyEncoded: base64.StdEncoding.EncodeToString(new.PrivateKey),
+		Certificate:       new.Certificate,
+		CSR:               new.CSR,
+	}
+	return wrapper, nil
+}
+
 func ObtainNewCertificate(domains []string, acmeClient *lego.Client) (CertificateWrapper, error) {
 	req := certificate.ObtainRequest{
 		Domains: domains,
@ -40,8 +69,7 @@ func ObtainNewCertificate(domains []string, acmeClient *lego.Client) (Certificat
 		NotAfter:          time.Now().Add(time.Hour * 24 * 60),
 		PrivateKeyEncoded: base64.StdEncoding.EncodeToString(cert.PrivateKey),
 		Certificate:       cert.Certificate,
-		IssuerCertificate: cert.IssuerCertificate,
-		CertificateUrl:    cert.CertURL,
+		CSR:               cert.CSR,
 	}
 	return wrapper, nil
 }
@ -103,7 +131,6 @@ func MakeFallbackCertificate(pagesDomain string) (*CertificateWrapper, error) {
 		NotAfter:          notAfter,
 		PrivateKeyEncoded: base64.StdEncoding.EncodeToString(certcrypto.PEMEncode(key)),
 		Certificate:       outBytes,
-		IssuerCertificate: outBytes,
-		CertificateUrl:    "localhost",
+		CSR:               []byte{},
 	}, nil
 }
--- a/internal/certificates/store.go
+++ b/internal/certificates/store.go
@ -19,8 +19,7 @@ type CertificateWrapper struct {
 	NotAfter          time.Time        `json:"not_after"`
 	PrivateKeyEncoded string           `json:"private_key"`
 	Certificate       []byte           `json:"certificate"`
-	IssuerCertificate []byte           `json:"issuer_certificate"`
-	CertificateUrl    string           `json:"certificate_url"`
+	CSR               []byte           `json:"csr"`
 }

 // A structure to store all the certificates we know of in.
--- a/internal/server/tls.go
+++ b/internal/server/tls.go
@ -15,30 +15,30 @@ import (

 var (
 	// To access requestingDomains, first acquire the lock.
-	requestingLock = sync.Mutex{}
+	domainsLock = sync.Mutex{}

-	// Domain -> _. Check if domain is a key here to see if we're already requeting
-	// a certificate for it.
-	requestingDomains = make(map[string]bool)
+	// Domain -> _. Check if domain is a key here to see if we're already requesting
+	// or renewing a certificate for that domain.
+	workingDomains = make(map[string]bool)
 )

 func lockIfUnlockedDomain(domain string) bool {
-	requestingLock.Lock()
-	defer requestingLock.Unlock()
+	domainsLock.Lock()
+	defer domainsLock.Unlock()

-	_, found := requestingDomains[domain]
+	_, found := workingDomains[domain]
 	if !found {
-		requestingDomains[domain] = true
+		workingDomains[domain] = true
 	}

 	return found
 }

 func unlockDomain(domain string) {
-	requestingLock.Lock()
-	defer requestingLock.Unlock()
+	domainsLock.Lock()
+	defer domainsLock.Unlock()

-	delete(requestingDomains, domain)
+	delete(workingDomains, domain)
 }

 func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client) *tls.Config {
@ -76,8 +76,15 @@ func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.Certificat
 					}
 					defer unlockDomain(domain)

-					// TODO: Renew
+					// Renew
 					log.Debugf("Certificate for %s expired, renewing", domain)
+					newCert, err := certificates.RenewCertificate(&cert, acmeClient)
+					if err != nil {
+						log.Errorf("Failed to renew certificate for %s: %v", domain, err)
+						return cert.TlsCertificate, nil
+					}
+					cache.AddCert(newCert, cachePath)
+					return newCert.TlsCertificate, nil
 				}
 			} else {
 				// Don't request if we're already requesting.
--- a/BIN
+++ b/BIN