Merge pull request #589 from bhoppi/main

Fix: new cert issuing is incorrectly delayed
2021-09-08 00:50:32 +08:00 · 2021-09-08 00:50:32 +08:00 · 7a9e72b133
parent 66b58e6076 2220411644
commit 7a9e72b133
1 changed files with 12 additions and 1 deletions
--- a/transport/internet/tls/config.go
+++ b/transport/internet/tls/config.go
@ -121,7 +121,7 @@ func isCertificateExpired(c *tls.Certificate) bool {
 	}

 	// If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate.
-	return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(-time.Minute))
+	return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(time.Minute*2))
 }

 func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) {
@ -173,6 +173,9 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli
 			for _, certificate := range c.Certificates {
 				if !isCertificateExpired(&certificate) {
 					newCerts = append(newCerts, certificate)
+				} else if certificate.Leaf != nil {
+					expTime := certificate.Leaf.NotAfter.Format(time.RFC3339)
+					newError("old certificate for ", domain, " (expire on ", expTime, ") discarded").AtInfo().WriteToLog()
 				}
 			}

@ -190,6 +193,14 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli
 					newError("failed to issue new certificate for ", domain).Base(err).WriteToLog()
 					continue
 				}
+				parsed, err := x509.ParseCertificate(newCert.Certificate[0])
+				if err == nil {
+					newCert.Leaf = parsed
+					expTime := parsed.NotAfter.Format(time.RFC3339)
+					newError("new certificate for ", domain, " (expire on ", expTime, ") issued").AtInfo().WriteToLog()
+				} else {
+					newError("failed to parse new certificate for ", domain).Base(err).WriteToLog()
+				}

 				access.Lock()
 				c.Certificates = append(c.Certificates, *newCert)