From 2220411644c282d53acd9edf9fcd950af4ae4548 Mon Sep 17 00:00:00 2001 From: Bhoppi Chaw Date: Sat, 5 Jun 2021 23:32:05 +0800 Subject: [PATCH] fix new cert issuing is incorrectly delayed --- transport/internet/tls/config.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/transport/internet/tls/config.go b/transport/internet/tls/config.go index e39a9a4f..cde729f2 100644 --- a/transport/internet/tls/config.go +++ b/transport/internet/tls/config.go @@ -121,7 +121,7 @@ func isCertificateExpired(c *tls.Certificate) bool { } // If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate. - return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(-time.Minute)) + return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(time.Minute*2)) } func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) { @@ -173,6 +173,9 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli for _, certificate := range c.Certificates { if !isCertificateExpired(&certificate) { newCerts = append(newCerts, certificate) + } else if certificate.Leaf != nil { + expTime := certificate.Leaf.NotAfter.Format(time.RFC3339) + newError("old certificate for ", domain, " (expire on ", expTime, ") discarded").AtInfo().WriteToLog() } } @@ -190,6 +193,14 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli newError("failed to issue new certificate for ", domain).Base(err).WriteToLog() continue } + parsed, err := x509.ParseCertificate(newCert.Certificate[0]) + if err == nil { + newCert.Leaf = parsed + expTime := parsed.NotAfter.Format(time.RFC3339) + newError("new certificate for ", domain, " (expire on ", expTime, ") issued").AtInfo().WriteToLog() + } else { + newError("failed to parse new certificate for ", domain).Base(err).WriteToLog() + } access.Lock() c.Certificates = append(c.Certificates, *newCert)