Comparison

core/certmanager.lua @ 12305:f8b8061461e3

core.certmanager: Ensure key exists for fullchain Since 5cd075ed4fd3 any file matching "fullchain" would be considered for use. Dehydrated stores fullchain certs in e.g, fullchain-1641171024.pem and a symlink fullchain.pem pointing at the latest one. However the current rule for finding a corresponding private key would try privkey-1641171024.pem in the same directory, which may not exist.
author Kim Alvefur <zash@zash.se>
date Mon, 21 Feb 2022 08:54:39 +0100
parent 12287:5cd075ed4fd3
child 12362:0fd58f54d653
comparison
equal deleted inserted replaced
12304:8210c2a52e9c 12305:f8b8061461e3
128 elseif file:find("%.crt$") or file:find("fullchain") then -- This should catch most fullchain files 128 elseif file:find("%.crt$") or file:find("fullchain") then -- This should catch most fullchain files
129 local f = io_open(full); 129 local f = io_open(full);
130 if f then 130 if f then
131 -- TODO look for chained certificates 131 -- TODO look for chained certificates
132 local firstline = f:read(); 132 local firstline = f:read();
133 if firstline == "-----BEGIN CERTIFICATE-----" then 133 if firstline == "-----BEGIN CERTIFICATE-----" and lfs.attributes(find_matching_key(full), "mode") == "file" then
134 f:seek("set") 134 f:seek("set")
135 local cert = ssl.loadcertificate(f:read("*a")) 135 local cert = ssl.loadcertificate(f:read("*a"))
136 -- TODO if more than one cert is found for a name, the most recently 136 -- TODO if more than one cert is found for a name, the most recently
137 -- issued one should be used. 137 -- issued one should be used.
138 -- for now, just filter out expired certs 138 -- for now, just filter out expired certs