diff options
author | Andrew Cady <d@jerkface.net> | 2016-04-11 03:31:54 -0400 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2016-04-11 03:31:54 -0400 |
commit | e0223ea4f319232a2bb8ae412a94ee5ad1bd7d5b (patch) | |
tree | a76f54241ef80ad6db3dc71709119a371a557651 | |
parent | fa94346e4bd195de96404c36043aa72291d36b1e (diff) |
Properly check for added subdomains
Regardless of whether the certificate isn't near expiration, if any name
in the configuration file isn't in the certificate, a new certificate
will be generated.
-rw-r--r-- | acme-certify.hs | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/acme-certify.hs b/acme-certify.hs index af11042..94891d0 100644 --- a/acme-certify.hs +++ b/acme-certify.hs | |||
@@ -206,14 +206,16 @@ needToFetch cs@CertSpec{..} = runExceptT $ do | |||
206 | exists <- liftIO $ doesFileExist certFile | 206 | exists <- liftIO $ doesFileExist certFile |
207 | unless exists $ throwError NoExistingCert | 207 | unless exists $ throwError NoExistingCert |
208 | 208 | ||
209 | -- TODO: parse with cryptonite | ||
209 | cert <- liftIO $ readFile certFile >>= readX509 | 210 | cert <- liftIO $ readFile certFile >>= readX509 |
210 | expiration <- liftIO $ getNotAfter cert | 211 | expiration <- liftIO $ getNotAfter cert |
211 | now <- liftIO getCurrentTime | 212 | now <- liftIO getCurrentTime |
212 | 213 | ||
213 | -- TODO: check X509v3 subjectAltName list within certificate | 214 | signedCert <- (liftIO (readSignedObject certFile) >>=) $ |
214 | objList <- liftIO $ readSignedObject certFile | 215 | maybe (throwError InvalidExistingCert) return . preview (folded . _Right) |
215 | sc <- maybe (throwError InvalidExistingCert) return $ preview (folded . _Right) objList | 216 | let wantedDomains = domainToString . fst <$> csDomains |
216 | liftIO $ print $ certAltNames sc | 217 | haveDomains = certAltNames signedCert |
218 | unless (null $ wantedDomains \\ haveDomains) $ throwError SubDomainsAdded | ||
217 | 219 | ||
218 | if | expiration < now -> throwError Expired | 220 | if | expiration < now -> throwError Expired |
219 | | expiration < addUTCTime graceTime now -> throwError NearExpiration | 221 | | expiration < addUTCTime graceTime now -> throwError NearExpiration |