Allow forcing cert reissuance (#28)

Refreshing the cert should force renewal as opposed to returning early if the SANs aren't changing. This is currently breaking refresh of expired certs as per: https://github.com/rancher/k3s/issues/1621#issuecomment-669464318 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-08-10 17:06:11 -07:00
parent 479ab335d6
commit 53f6b38760
7 changed files with 117 additions and 60 deletions
--- a/cert/cert.go
+++ b/cert/cert.go
@@ -45,6 +45,10 @@ const (
 	duration365d = time.Hour * 24 * 365
 )

+var (
+	ErrStaticCert = errors.New("cannot renew static certificate")
+)
+
 // Config contains the basic fields required for creating a certificate
 type Config struct {
 	CommonName   string
@@ -119,7 +123,13 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 	if err != nil {
 		return nil, err
 	}
-	return x509.ParseCertificate(certDERBytes)
+
+	parsedCert, err := x509.ParseCertificate(certDERBytes)
+	if err == nil {
+		logrus.Infof("certificate %s signed by %s: notBefore=%s notAfter=%s",
+			parsedCert.Subject, caCert.Subject, parsedCert.NotBefore, parsedCert.NotAfter)
+	}
+	return parsedCert, err
 }

 // MakeEllipticPrivateKeyPEM creates an ECDSA private key
@@ -271,11 +281,11 @@ func ipsToStrings(ips []net.IP) []string {
 }

 // IsCertExpired checks if the certificate about to expire
-func IsCertExpired(cert *x509.Certificate) bool {
+func IsCertExpired(cert *x509.Certificate, days int) bool {
 	expirationDate := cert.NotAfter
-	diffDays := expirationDate.Sub(time.Now()).Hours() / 24.0
-	if diffDays <= 90 {
-		logrus.Infof("certificate will expire in %f days", diffDays)
+	diffDays := time.Until(expirationDate).Hours() / 24.0
+	if diffDays <= float64(days) {
+		logrus.Infof("certificate %s will expire in %f days at %s", cert.Subject, diffDays, cert.NotAfter)
 		return true
 	}
 	return false