From 99626a1d957040acbf8faccffcc3a35c56af3068 Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Sun, 27 May 2018 10:13:59 +0200
Subject: [PATCH] Only use ca_chain if present

The ca_chain is only available if the certificate was imported, not when
the certificate is generated by Vault itself. So try to read it and if
it fails fall back to using the CA cert.

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 main.go | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/main.go b/main.go
index 8943722..9ca75a4 100644
--- a/main.go
+++ b/main.go
@@ -275,9 +275,12 @@ func generateCertificateConfig(tplName, fqdn string) error {
 		}
 	}
 
-	caCert, err := getCACert()
+	caCert, err := getCAChain()
 	if err != nil {
-		return fmt.Errorf("Could not load CA certificate: %s", err)
+		caCert, err = getCACert()
+		if err != nil {
+			return fmt.Errorf("Could not load CA certificate: %s", err)
+		}
 	}
 
 	tplv, err := generateCertificate(fqdn)
@@ -402,9 +405,28 @@ func revokeCertificateBySerial(serial string) error {
 	return nil
 }
 
-func getCACert() (string, error) {
+func getCAChain() (string, error) {
 	path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "cert", "ca_chain"}, "/")
 	cs, err := client.Logical().Read(path)
+	if err != nil {
+		return "", errors.New("Unable to read ca_chain: " + err.Error())
+	}
+
+	if cs.Data == nil {
+		return "", errors.New("Unable to read ca_chain: Empty")
+	}
+
+	cert, ok := cs.Data["certificate"]
+	if !ok || len(cert.(string)) == 0 {
+		return "", errors.New("Unable to read ca_chain: Empty")
+	}
+
+	return cert.(string), nil
+}
+
+func getCACert() (string, error) {
+	path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "cert", "ca"}, "/")
+	cs, err := client.Logical().Read(path)
 	if err != nil {
 		return "", errors.New("Unable to read certificate: " + err.Error())
 	}