1
0
Fork 0
mirror of https://github.com/Luzifer/vault-openvpn.git synced 2024-12-26 06:41:20 +00:00

Only use ca_chain if present

The ca_chain is only available if the certificate was imported, not when
the certificate is generated by Vault itself. So try to read it and if
it fails fall back to using the CA cert.

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2018-05-27 10:13:59 +02:00
parent 3dfa21116d
commit 99626a1d95
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E

28
main.go
View file

@ -275,9 +275,12 @@ func generateCertificateConfig(tplName, fqdn string) error {
} }
} }
caCert, err := getCACert() caCert, err := getCAChain()
if err != nil { if err != nil {
return fmt.Errorf("Could not load CA certificate: %s", err) caCert, err = getCACert()
if err != nil {
return fmt.Errorf("Could not load CA certificate: %s", err)
}
} }
tplv, err := generateCertificate(fqdn) tplv, err := generateCertificate(fqdn)
@ -402,9 +405,28 @@ func revokeCertificateBySerial(serial string) error {
return nil return nil
} }
func getCACert() (string, error) { func getCAChain() (string, error) {
path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "cert", "ca_chain"}, "/") path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "cert", "ca_chain"}, "/")
cs, err := client.Logical().Read(path) cs, err := client.Logical().Read(path)
if err != nil {
return "", errors.New("Unable to read ca_chain: " + err.Error())
}
if cs.Data == nil {
return "", errors.New("Unable to read ca_chain: Empty")
}
cert, ok := cs.Data["certificate"]
if !ok || len(cert.(string)) == 0 {
return "", errors.New("Unable to read ca_chain: Empty")
}
return cert.(string), nil
}
func getCACert() (string, error) {
path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "cert", "ca"}, "/")
cs, err := client.Logical().Read(path)
if err != nil { if err != nil {
return "", errors.New("Unable to read certificate: " + err.Error()) return "", errors.New("Unable to read certificate: " + err.Error())
} }