From c82df1bddc231c3d967e5da6e0a02e085f2d42d0 Mon Sep 17 00:00:00 2001
From: Oliver Gugger <gugger@gmail.com>
Date: Fri, 14 Aug 2020 14:16:01 +0200
Subject: [PATCH] aperture: only renew certificate if we signed it

In case we use an externally provided certificate (which is created by
an external Let's Encrypt process for example), we don't want to try to
renew it. We identify our own certificates by the organization field we
set.
---
 aperture.go | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/aperture.go b/aperture.go
index 43e6999..daa01cc 100644
--- a/aperture.go
+++ b/aperture.go
@@ -35,6 +35,10 @@ const (
 	// represent a path-like structure.
 	etcdKeyDelimeter = "/"
 
+	// selfSignedCertOrganization is the static string that we encode in the
+	// organization field of a certificate if we create it ourselves.
+	selfSignedCertOrganization = "aperture autogenerated cert"
+
 	// selfSignedCertValidity is the certificate validity duration we are
 	// using for aperture certificates. This is higher than lnd's default
 	// 14 months and is set to a maximum just below what some operating
@@ -331,7 +335,7 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
 	if !fileExists(tlsCertFile) && !fileExists(tlsKeyFile) {
 		log.Infof("Generating TLS certificates...")
 		err := cert.GenCertPair(
-			"aperture autogenerated cert", tlsCertFile, tlsKeyFile,
+			selfSignedCertOrganization, tlsCertFile, tlsKeyFile,
 			nil, nil, selfSignedCertValidity,
 		)
 		if err != nil {
@@ -353,9 +357,16 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
 		-1 * selfSignedCertExpiryMargin,
 	)
 
+	// We only want to renew a certificate that we created ourselves. If
+	// we are using a certificate that was passed to us (perhaps created by
+	// an externally running Let's Encrypt process) we aren't going to try
+	// to replace it.
+	isSelfSigned := len(parsedCert.Subject.Organization) > 0 &&
+		parsedCert.Subject.Organization[0] == selfSignedCertOrganization
+
 	// If the certificate expired or it was outdated, delete it and the TLS
 	// key and generate a new pair.
-	if time.Now().After(expiryWithMargin) {
+	if isSelfSigned && time.Now().After(expiryWithMargin) {
 		log.Info("TLS certificate will expire soon, generating a " +
 			"new one")
 
@@ -371,7 +382,7 @@ func getTLSConfig(serverName string, autoCert bool) (*tls.Config, error) {
 
 		log.Infof("Renewing TLS certificates...")
 		err = cert.GenCertPair(
-			"aperture autogenerated cert", tlsCertFile, tlsKeyFile,
+			selfSignedCertOrganization, tlsCertFile, tlsKeyFile,
 			nil, nil, selfSignedCertValidity,
 		)
 		if err != nil {