Properly check for added subdomains

Regardless of whether the certificate isn't near expiration, if any name in the configuration file isn't in the certificate, a new certificate will be generated.
author: Andrew Cady <d@jerkface.net> 2016-04-11 03:31:54 -0400
committer: Andrew Cady <d@jerkface.net> 2016-04-11 03:31:54 -0400
commit: e0223ea4f319232a2bb8ae412a94ee5ad1bd7d5b (patch)
tree: a76f54241ef80ad6db3dc71709119a371a557651
parent: fa94346e4bd195de96404c36043aa72291d36b1e (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/acme-certify.hs b/acme-certify.hs
index af11042..94891d0 100644
--- a/acme-certify.hs
+++ b/acme-certify.hs
@@ -206,14 +206,16 @@ needToFetch cs@CertSpec{..} = runExceptT $ do
  exists <- liftIO $ doesFileExist certFile
  unless exists $ throwError NoExistingCert
+  -- TODO: parse with cryptonite
  cert <- liftIO $ readFile certFile >>= readX509
  expiration <- liftIO $ getNotAfter cert
  now <- liftIO getCurrentTime
-  -- TODO: check X509v3 subjectAltName list within certificate
+  signedCert <- (liftIO (readSignedObject certFile) >>=) $
-  objList <- liftIO $ readSignedObject certFile
+                maybe (throwError InvalidExistingCert) return . preview (folded . _Right)
-  sc <- maybe (throwError InvalidExistingCert) return $ preview (folded . _Right) objList
+  let wantedDomains = domainToString . fst <$> csDomains
-  liftIO $ print $ certAltNames sc
+      haveDomains = certAltNames signedCert
+  unless (null $ wantedDomains \\ haveDomains) $ throwError SubDomainsAdded
  if | expiration < now                      -> throwError Expired
     | expiration < addUTCTime graceTime now -> throwError NearExpiration
author	Andrew Cady <d@jerkface.net>	2016-04-11 03:31:54 -0400
committer	Andrew Cady <d@jerkface.net>	2016-04-11 03:31:54 -0400
commit	e0223ea4f319232a2bb8ae412a94ee5ad1bd7d5b (patch)
tree	a76f54241ef80ad6db3dc71709119a371a557651
parent	fa94346e4bd195de96404c36043aa72291d36b1e (diff)