Fix certificate insertion loop to keep valid certificate and ignore the bad one
This commit is contained in:
Jean-Baptiste Doumenjou
Traefiker Bot
parent
c875819a2e
commit
ba99fbe390
4 changed files with 35 additions and 16 deletions
|
|
@ -18,6 +18,21 @@
|
||||||
[frontends.frontend2.routes.test_2]
|
[frontends.frontend2.routes.test_2]
|
||||||
rule = "Host:snitest.org"
|
rule = "Host:snitest.org"
|
||||||
|
|
||||||
|
[[tls]]
|
||||||
|
entryPoints = ["https"]
|
||||||
|
# bad certificates to validate the loop on the certificate appending
|
||||||
|
[tls.certificate]
|
||||||
|
# bad content
|
||||||
|
certFile = """-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC/zCCAeegAwIBAgIJALAYHG/vGqWEMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNV
|
||||||
|
-----END CERTIFICATE-----"""
|
||||||
|
# bad content
|
||||||
|
keyFile = """-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
wihZ13e3i5UQEYuoRcH1RUd1wyYoBSKuQnsT2WwVZ1wlXSYaELAbQgaI9NtfBA0G
|
||||||
|
eRG3DaVpez4DQVupZDHMgxJUYqqKynUj6GD1YiaxGROj3TYCu6e7OxyhalhCllSu
|
||||||
|
w/X5M802XqzLjeec5zHoZDfknnAkgR9MsxZYmZPFaDyL6GOKUB8=
|
||||||
|
-----END RSA PRIVATE KEY-----"""
|
||||||
|
|
||||||
[[tls]]
|
[[tls]]
|
||||||
entryPoints = ["https"]
|
entryPoints = ["https"]
|
||||||
[tls.certificate]
|
[tls.certificate]
|
||||||
|
|
|
||||||
|
|
@ -118,8 +118,7 @@ func (s *Server) loadConfig(configurations types.Configurations, globalConfigura
|
||||||
|
|
||||||
// Get new certificates list sorted per entrypoints
|
// Get new certificates list sorted per entrypoints
|
||||||
// Update certificates
|
// Update certificates
|
||||||
entryPointsCertificates, err := s.loadHTTPSConfiguration(configurations, globalConfiguration.DefaultEntryPoints)
|
entryPointsCertificates := s.loadHTTPSConfiguration(configurations, globalConfiguration.DefaultEntryPoints)
|
||||||
// FIXME error management
|
|
||||||
|
|
||||||
// Sort routes and update certificates
|
// Sort routes and update certificates
|
||||||
for serverEntryPointName, serverEntryPoint := range serverEntryPoints {
|
for serverEntryPointName, serverEntryPoint := range serverEntryPoints {
|
||||||
|
|
@ -558,17 +557,15 @@ func (s *Server) postLoadConfiguration() {
|
||||||
}
|
}
|
||||||
|
|
||||||
// loadHTTPSConfiguration add/delete HTTPS certificate managed dynamically
|
// loadHTTPSConfiguration add/delete HTTPS certificate managed dynamically
|
||||||
func (s *Server) loadHTTPSConfiguration(configurations types.Configurations, defaultEntryPoints configuration.DefaultEntryPoints) (map[string]map[string]*tls.Certificate, error) {
|
func (s *Server) loadHTTPSConfiguration(configurations types.Configurations, defaultEntryPoints configuration.DefaultEntryPoints) map[string]map[string]*tls.Certificate {
|
||||||
newEPCertificates := make(map[string]map[string]*tls.Certificate)
|
newEPCertificates := make(map[string]map[string]*tls.Certificate)
|
||||||
// Get all certificates
|
// Get all certificates
|
||||||
for _, config := range configurations {
|
for _, config := range configurations {
|
||||||
if config.TLS != nil && len(config.TLS) > 0 {
|
if config.TLS != nil && len(config.TLS) > 0 {
|
||||||
if err := traefiktls.SortTLSPerEntryPoints(config.TLS, newEPCertificates, defaultEntryPoints); err != nil {
|
traefiktls.SortTLSPerEntryPoints(config.TLS, newEPCertificates, defaultEntryPoints)
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return newEPCertificates, nil
|
return newEPCertificates
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Server) buildServerEntryPoints() map[string]*serverEntryPoint {
|
func (s *Server) buildServerEntryPoints() map[string]*serverEntryPoint {
|
||||||
|
|
|
||||||
|
|
@ -196,6 +196,17 @@ func (c *Certificate) AppendCertificates(certs map[string]map[string]*tls.Certif
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *Certificate) getTruncatedCertificateName() string {
|
||||||
|
certName := c.CertFile.String()
|
||||||
|
|
||||||
|
// Truncate certificate information only if it's a well formed certificate content with more than 50 characters
|
||||||
|
if !c.CertFile.IsPath() && strings.HasPrefix(certName, certificateHeader) && len(certName) > len(certificateHeader)+50 {
|
||||||
|
certName = strings.TrimPrefix(c.CertFile.String(), certificateHeader)[:50]
|
||||||
|
}
|
||||||
|
|
||||||
|
return certName
|
||||||
|
}
|
||||||
|
|
||||||
// String is the method to format the flag's value, part of the flag.Value interface.
|
// String is the method to format the flag's value, part of the flag.Value interface.
|
||||||
// The String method's output will be used in diagnostics.
|
// The String method's output will be used in diagnostics.
|
||||||
func (c *Certificates) String() string {
|
func (c *Certificates) String() string {
|
||||||
|
|
|
||||||
14
tls/tls.go
14
tls/tls.go
|
|
@ -80,27 +80,23 @@ func (r *FilesOrContents) Type() string {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SortTLSPerEntryPoints converts TLS configuration sorted by Certificates into TLS configuration sorted by EntryPoints
|
// SortTLSPerEntryPoints converts TLS configuration sorted by Certificates into TLS configuration sorted by EntryPoints
|
||||||
func SortTLSPerEntryPoints(configurations []*Configuration, epConfiguration map[string]map[string]*tls.Certificate, defaultEntryPoints []string) error {
|
func SortTLSPerEntryPoints(configurations []*Configuration, epConfiguration map[string]map[string]*tls.Certificate, defaultEntryPoints []string) {
|
||||||
if epConfiguration == nil {
|
if epConfiguration == nil {
|
||||||
epConfiguration = make(map[string]map[string]*tls.Certificate)
|
epConfiguration = make(map[string]map[string]*tls.Certificate)
|
||||||
}
|
}
|
||||||
for _, conf := range configurations {
|
for _, conf := range configurations {
|
||||||
if conf.EntryPoints == nil || len(conf.EntryPoints) == 0 {
|
if conf.EntryPoints == nil || len(conf.EntryPoints) == 0 {
|
||||||
if log.GetLevel() >= logrus.DebugLevel {
|
if log.GetLevel() >= logrus.DebugLevel {
|
||||||
certName := conf.Certificate.CertFile.String()
|
log.Debugf("No entryPoint is defined to add the certificate %s, it will be added to the default entryPoints: %s",
|
||||||
// Truncate certificate information only if it's a well formed certificate content with more than 50 characters
|
conf.Certificate.getTruncatedCertificateName(),
|
||||||
if !conf.Certificate.CertFile.IsPath() && strings.HasPrefix(conf.Certificate.CertFile.String(), certificateHeader) && len(conf.Certificate.CertFile.String()) > len(certificateHeader)+50 {
|
strings.Join(defaultEntryPoints, ", "))
|
||||||
certName = strings.TrimPrefix(conf.Certificate.CertFile.String(), certificateHeader)[:50]
|
|
||||||
}
|
|
||||||
log.Debugf("No entryPoint is defined to add the certificate %s, it will be added to the default entryPoints: %s", certName, strings.Join(defaultEntryPoints, ", "))
|
|
||||||
}
|
}
|
||||||
conf.EntryPoints = append(conf.EntryPoints, defaultEntryPoints...)
|
conf.EntryPoints = append(conf.EntryPoints, defaultEntryPoints...)
|
||||||
}
|
}
|
||||||
for _, ep := range conf.EntryPoints {
|
for _, ep := range conf.EntryPoints {
|
||||||
if err := conf.Certificate.AppendCertificates(epConfiguration, ep); err != nil {
|
if err := conf.Certificate.AppendCertificates(epConfiguration, ep); err != nil {
|
||||||
return err
|
log.Errorf("Unable to append certificate %s to entrypoint %s: %v", conf.Certificate.getTruncatedCertificateName(), ep, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue