diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-03-30 15:07:03 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-03-30 20:07:18 +0200 |
| commit | 1f82952b36c75d3b3965f4837b815aef8d307d5b (patch) | |
| tree | 44d0e1ed126f350b8d2fced94140193d413b4f8b /src | |
| parent | 4871e5bb5b8c3f1cab12fdc36a02ac99902a9eb1 (diff) | |
| download | vyos-1x-1f82952b36c75d3b3965f4837b815aef8d307d5b.tar.gz vyos-1x-1f82952b36c75d3b3965f4837b815aef8d307d5b.zip | |
pki: T7299: race condition for acme requested certificates / CA chain
When using the VyOS internal PKI subsystem to request a certificate using ACME,
the issuer CA is not automatically imported in the PKI subsystem on the first
run due to a race condition.
Issue is fixed by adding all newly requested and granted ACME certificates to
the list of ACME certificates "on disk" which are used to extract the issuing
CA certificate.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/pki.py | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index acea2c9be..724f97555 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -440,13 +440,21 @@ def generate(pki): for name, cert_conf in pki['certificate'].items(): if 'acme' in cert_conf: certbot_list.append(name) - # generate certificate if not found on disk + # There is no ACME/certbot managed certificate presend on the + # system, generate it if name not in certbot_list_on_disk: certbot_request(name, cert_conf['acme'], dry_run=False) + # Now that the certificate was properly generated we have + # the PEM files on disk. We need to add the certificate to + # certbot_list_on_disk to automatically import the CA chain + certbot_list_on_disk.append(name) + # We alredy had an ACME managed certificate on the system, but + # something changed in the configuration elif changed_certificates != None and name in changed_certificates: - # when something for the certificate changed, we should delete it + # Delete old ACME certificate first if name in certbot_list_on_disk: certbot_delete(name) + # Request new certificate via certbot certbot_request(name, cert_conf['acme'], dry_run=False) # Cleanup certbot configuration and certificates if no longer in use by CLI |