Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gateway: fix custom domains request/renew APIs #1158

Merged
merged 4 commits into from Aug 18, 2023
Merged

gateway: fix custom domains request/renew APIs #1158

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4e7b371
gateway: fix custom domains request/renew APIs
iulianbarbu Aug 17, 2023
46b52d3
gateway: run until done before starting the idle deploy
iulianbarbu Aug 17, 2023
6349c8b
gateway: add newlines to separate cert chain from pk
iulianbarbu Aug 17, 2023
a12dcc6
Merge branch 'main' into feature/eng-1008-renew-jeff-certificate-issue
iulianbarbu Aug 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
39 changes: 25 additions & 14 deletions gateway/src/api/latest.rs
View file
Open in desktop
Expand Up @@ -544,6 +544,8 @@ async fn request_custom_domain_acme_certificate(
}
}
}))
.and_then(task::run_until_done())
.and_then(task::start_idle_deploys())
.send(&sender)
.await?;

Expand Down Expand Up @@ -584,27 +586,36 @@ async fn renew_custom_domain_acme_certificate(
.map_err(|_err| Error::from(ErrorKind::InvalidCustomDomain))?;
// Try retrieve the current certificate if any.
match service.project_details_for_custom_domain(&fqdn).await {
Ok(CustomDomain { certificate, .. }) => {
let (_, pem) = parse_x509_pem(certificate.as_bytes()).unwrap_or_else(|_| {
panic!(
"Malformed existing PEM certificate for {} project.",
project_name
Ok(CustomDomain {
mut certificate,
private_key,
..
}) => {
certificate.push_str(private_key.as_str());
let (_, pem) = parse_x509_pem(certificate.as_bytes()).map_err(|err| {
Error::custom(
ErrorKind::Internal,
format!("Error while parsing the pem certificate for {project_name}: {err}"),
)
});
let (_, x509_cert_chain) = parse_x509_certificate(pem.contents.as_bytes())
.unwrap_or_else(|_| {
panic!(
"Malformed existing X509 certificate for {} project.",
project_name
})?;

let (_, x509_cert_chain) =
parse_x509_certificate(pem.contents.as_bytes()).map_err(|err| {
Error::custom(
ErrorKind::Internal,
format!(
"Error while parsing the certificate chain for {project_name}: {err}"
),
)
});
})?;

let diff = x509_cert_chain
.validity()
.not_after
.sub(ASN1Time::now())
.unwrap();
.unwrap_or_default();

// If current certificate validity less_or_eq than 30 days, attempt renewal.
// Renew only when the difference is `None` (meaning certificate expired) or we're within the last 30 days of validity.
if diff.whole_days() <= RENEWAL_VALIDITY_THRESHOLD_IN_DAYS {
return match acme_client
.create_certificate(&fqdn.to_string(), ChallengeType::Http01, credentials)
Expand Down