mirror of
https://github.com/Luzifer/vault-openvpn.git
synced 2024-12-26 06:41:20 +00:00
Only use ca_chain if present
The ca_chain is only available if the certificate was imported, not when the certificate is generated by Vault itself. So try to read it and if it fails fall back to using the CA cert. Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
3dfa21116d
commit
99626a1d95
1 changed files with 25 additions and 3 deletions
28
main.go
28
main.go
|
@ -275,9 +275,12 @@ func generateCertificateConfig(tplName, fqdn string) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
caCert, err := getCACert()
|
caCert, err := getCAChain()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Could not load CA certificate: %s", err)
|
caCert, err = getCACert()
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Could not load CA certificate: %s", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
tplv, err := generateCertificate(fqdn)
|
tplv, err := generateCertificate(fqdn)
|
||||||
|
@ -402,9 +405,28 @@ func revokeCertificateBySerial(serial string) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func getCACert() (string, error) {
|
func getCAChain() (string, error) {
|
||||||
path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "cert", "ca_chain"}, "/")
|
path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "cert", "ca_chain"}, "/")
|
||||||
cs, err := client.Logical().Read(path)
|
cs, err := client.Logical().Read(path)
|
||||||
|
if err != nil {
|
||||||
|
return "", errors.New("Unable to read ca_chain: " + err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
if cs.Data == nil {
|
||||||
|
return "", errors.New("Unable to read ca_chain: Empty")
|
||||||
|
}
|
||||||
|
|
||||||
|
cert, ok := cs.Data["certificate"]
|
||||||
|
if !ok || len(cert.(string)) == 0 {
|
||||||
|
return "", errors.New("Unable to read ca_chain: Empty")
|
||||||
|
}
|
||||||
|
|
||||||
|
return cert.(string), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func getCACert() (string, error) {
|
||||||
|
path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "cert", "ca"}, "/")
|
||||||
|
cs, err := client.Logical().Read(path)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", errors.New("Unable to read certificate: " + err.Error())
|
return "", errors.New("Unable to read certificate: " + err.Error())
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue