From 2a06a70f67bb4eb1dccca0ca2f78103d08107712 Mon Sep 17 00:00:00 2001 From: Brian Olsen Date: Mon, 24 Oct 2022 18:17:48 +0000 Subject: [PATCH 1/3] t3c: warn and skip on certs that fail the pem Decode --- cache-config/t3c-apply/torequest/cmd.go | 4 ++++ cache-config/t3c-apply/torequest/torequest.go | 7 +++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/cache-config/t3c-apply/torequest/cmd.go b/cache-config/t3c-apply/torequest/cmd.go index 07a4e9763e..3063fce7ab 100644 --- a/cache-config/t3c-apply/torequest/cmd.go +++ b/cache-config/t3c-apply/torequest/cmd.go @@ -421,6 +421,10 @@ func checkRefs(cfg config.Cfg, cfgFile []byte, filesAdding []string) error { // checkCert checks the validity of the ssl certificate. func checkCert(c []byte) error { block, _ := pem.Decode(c) + if block == nil { + log.Errorln("Bad Certificate:\n'", string(c), "'") + return errors.New("Error Decoding Certificate") + } cert, err := x509.ParseCertificate(block.Bytes) if err != nil { return errors.New("Error Parsing Certificate: " + err.Error()) diff --git a/cache-config/t3c-apply/torequest/torequest.go b/cache-config/t3c-apply/torequest/torequest.go index 4287d21448..f8d137ab57 100644 --- a/cache-config/t3c-apply/torequest/torequest.go +++ b/cache-config/t3c-apply/torequest/torequest.go @@ -239,11 +239,10 @@ func (r *TrafficOpsReq) checkConfigFile(cfg *ConfigFile, filesAdding []string) e if strings.HasSuffix(cfg.Name, ".cer") { if err := checkCert(cfg.Body); err != nil { - r.configFileWarnings[cfg.Name] = append(r.configFileWarnings[cfg.Name], fmt.Sprintln(err)) - } - for _, wrn := range cfg.Warnings { - r.configFileWarnings[cfg.Name] = append(r.configFileWarnings[cfg.Name], wrn) + r.configFileWarnings[cfg.Name] = append(r.configFileWarnings[cfg.Name], err.Error()) + return err } + r.configFileWarnings[cfg.Name] = append(r.configFileWarnings[cfg.Name], cfg.Warnings...) } changeNeeded, err := diff(r.Cfg, cfg.Body, cfg.Path, r.Cfg.ReportOnly, cfg.Perm, cfg.Uid, cfg.Gid) From 3c59c649db5450574642406f903685147b73b930 Mon Sep 17 00:00:00 2001 From: Brian Olsen Date: Mon, 24 Oct 2022 18:28:15 +0000 Subject: [PATCH 2/3] add fatal flag for escalation --- cache-config/t3c-apply/torequest/cmd.go | 11 +++++++---- cache-config/t3c-apply/torequest/torequest.go | 7 +++++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/cache-config/t3c-apply/torequest/cmd.go b/cache-config/t3c-apply/torequest/cmd.go index 3063fce7ab..c0b0877d82 100644 --- a/cache-config/t3c-apply/torequest/cmd.go +++ b/cache-config/t3c-apply/torequest/cmd.go @@ -419,15 +419,18 @@ func checkRefs(cfg config.Cfg, cfgFile []byte, filesAdding []string) error { } // checkCert checks the validity of the ssl certificate. -func checkCert(c []byte) error { +func checkCert(c []byte) (error, bool) { + fatal := false block, _ := pem.Decode(c) if block == nil { log.Errorln("Bad Certificate:\n'", string(c), "'") - return errors.New("Error Decoding Certificate") + fatal = true + return errors.New("Error Decoding Certificate"), fatal } cert, err := x509.ParseCertificate(block.Bytes) if err != nil { - return errors.New("Error Parsing Certificate: " + err.Error()) + fatal = true + return errors.New("Error Parsing Certificate: " + err.Error()), fatal } if cert.NotAfter.Unix() < time.Now().Unix() { err = errors.New("Certificate expired: " + cert.NotAfter.Format(config.TimeAndDateLayout)) @@ -435,7 +438,7 @@ func checkCert(c []byte) error { } else { log.Infof("Certificate valid until %s ", cert.NotAfter.Format(config.TimeAndDateLayout)) } - return err + return err, fatal } // checkReload is a helper for the sub-command t3c-check-reload. diff --git a/cache-config/t3c-apply/torequest/torequest.go b/cache-config/t3c-apply/torequest/torequest.go index f8d137ab57..52fcbfcbb7 100644 --- a/cache-config/t3c-apply/torequest/torequest.go +++ b/cache-config/t3c-apply/torequest/torequest.go @@ -238,11 +238,14 @@ func (r *TrafficOpsReq) checkConfigFile(cfg *ConfigFile, filesAdding []string) e } if strings.HasSuffix(cfg.Name, ".cer") { - if err := checkCert(cfg.Body); err != nil { + err, fatal := checkCert(cfg.Body) + if err != nil { r.configFileWarnings[cfg.Name] = append(r.configFileWarnings[cfg.Name], err.Error()) - return err } r.configFileWarnings[cfg.Name] = append(r.configFileWarnings[cfg.Name], cfg.Warnings...) + if fatal { + return errors.New(err.Error() + " for: " + cfg.Name) + } } changeNeeded, err := diff(r.Cfg, cfg.Body, cfg.Path, r.Cfg.ReportOnly, cfg.Perm, cfg.Uid, cfg.Gid) From cafe2c7585c2938aea1350ba682b458247edb002 Mon Sep 17 00:00:00 2001 From: Brian Olsen Date: Mon, 24 Oct 2022 18:34:48 +0000 Subject: [PATCH 3/3] add changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 59dc09c414..dac0eb3081 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - [#7125](https://github.com/apache/trafficcontrol/issues/7125) *Docs* Reflect implementation and deprecation notice for `letsencrypt/autorenew` endpoint. - [#7158](https://github.com/apache/trafficcontrol/issues/7158) *Traffic Vault* Fix the `reencrypt` utility to uniquely reencrypt each version of the SSL Certificates. - [#7137](https://github.com/apache/trafficcontrol/pull/7137) *Cache Config* parent.config simulate topology for non topo delivery services. +- Adds an extra T3C check for validity of an ssl cert (crash fix). ## [7.0.0] - 2022-07-19 ### Added