Only use ca_chain if present

The ca_chain is only available if the certificate was imported, not when the certificate is generated by Vault itself. So try to read it and if it fails fall back to using the CA cert. Signed-off-by: Knut Ahlers <knut@ahlers.me>
2024-11-08 16:20:05 +00:00 · 2018-05-27 10:13:59 +02:00 · 2018-05-27 10:13:59 +02:00 · 99626a1d95
commit 99626a1d95
parent 3dfa21116d
1 changed files with 25 additions and 3 deletions
--- a/main.go
+++ b/main.go
@ -275,9 +275,12 @@ func generateCertificateConfig(tplName, fqdn string) error {
 		}
 	}

-	caCert, err := getCACert()
+	caCert, err := getCAChain()
 	if err != nil {
-		return fmt.Errorf("Could not load CA certificate: %s", err)
+		caCert, err = getCACert()
+		if err != nil {
+			return fmt.Errorf("Could not load CA certificate: %s", err)
+		}
 	}

 	tplv, err := generateCertificate(fqdn)
@ -402,9 +405,28 @@ func revokeCertificateBySerial(serial string) error {
 	return nil
 }

-func getCACert() (string, error) {
+func getCAChain() (string, error) {
 	path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "cert", "ca_chain"}, "/")
 	cs, err := client.Logical().Read(path)
+	if err != nil {
+		return "", errors.New("Unable to read ca_chain: " + err.Error())
+	}
+
+	if cs.Data == nil {
+		return "", errors.New("Unable to read ca_chain: Empty")
+	}
+
+	cert, ok := cs.Data["certificate"]
+	if !ok || len(cert.(string)) == 0 {
+		return "", errors.New("Unable to read ca_chain: Empty")
+	}
+
+	return cert.(string), nil
+}
+
+func getCACert() (string, error) {
+	path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "cert", "ca"}, "/")
+	cs, err := client.Logical().Read(path)
 	if err != nil {
 		return "", errors.New("Unable to read certificate: " + err.Error())
 	}