aljaz/aperture
1
1
Fork 0
mirror of https://github.com/lightninglabs/aperture.git synced 2025-12-25 21:14:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #40 from guggero/renew-selfsigned-only

Browse Source 
aperture: only renew certificate if we signed it
This commit is contained in:
Olaoluwa Osuntokun
2020-08-14 17:15:52 -07:00
committed by GitHub
parent 537716305e c82df1bddc
commit 6c57ebe08f
1 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
aperture.go
View File

@@ -35,6 +35,10 @@ const (
// represent a path-like structure.
etcdKeyDelimeter = "/"
// selfSignedCertOrganization is the static string that we encode in the
// organization field of a certificate if we create it ourselves.
selfSignedCertOrganization = "aperture autogenerated cert"
// selfSignedCertValidity is the certificate validity duration we are
// using for aperture certificates. This is higher than lnd's default
// 14 months and is set to a maximum just below what some operating
@@ -331,7 +335,7 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
if !fileExists(tlsCertFile) && !fileExists(tlsKeyFile) {
log.Infof("Generating TLS certificates...")
err := cert.GenCertPair(
"aperture autogenerated cert", tlsCertFile, tlsKeyFile,
selfSignedCertOrganization, tlsCertFile, tlsKeyFile,
nil, nil, selfSignedCertValidity,
)
if err != nil {
@@ -353,9 +357,16 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
-1 * selfSignedCertExpiryMargin,
)
// We only want to renew a certificate that we created ourselves. If
// we are using a certificate that was passed to us (perhaps created by
// an externally running Let's Encrypt process) we aren't going to try
// to replace it.
isSelfSigned := len(parsedCert.Subject.Organization) > 0 &&
parsedCert.Subject.Organization[0] == selfSignedCertOrganization
// If the certificate expired or it was outdated, delete it and the TLS
// key and generate a new pair.
if time.Now().After(expiryWithMargin) {
if isSelfSigned && time.Now().After(expiryWithMargin) {
log.Info("TLS certificate will expire soon, generating a " +
"new one")
@@ -371,7 +382,7 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
log.Infof("Renewing TLS certificates...")
err = cert.GenCertPair(
"aperture autogenerated cert", tlsCertFile, tlsKeyFile,
selfSignedCertOrganization, tlsCertFile, tlsKeyFile,
nil, nil, selfSignedCertValidity,
)
if err != nil {