apache · rob05c · Nov 2, 2022 · Oct 24, 2022 · Oct 24, 2022 · Oct 24, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -42,6 +42,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - [#7125](https://github.com/apache/trafficcontrol/issues/7125) *Docs* Reflect implementation and deprecation notice for `letsencrypt/autorenew` endpoint.
 - [#7158](https://github.com/apache/trafficcontrol/issues/7158) *Traffic Vault* Fix the `reencrypt` utility to uniquely reencrypt each version of the SSL Certificates.
 - [#7137](https://github.com/apache/trafficcontrol/pull/7137) *Cache Config* parent.config simulate topology for non topo delivery services.
+- Adds an extra T3C check for validity of an ssl cert (crash fix).
 
 ## [7.0.0] - 2022-07-19
 ### Added

diff --git a/cache-config/t3c-apply/torequest/cmd.go b/cache-config/t3c-apply/torequest/cmd.go
@@ -419,19 +419,26 @@ func checkRefs(cfg config.Cfg, cfgFile []byte, filesAdding []string) error {
 }
 
 // checkCert checks the validity of the ssl certificate.
-func checkCert(c []byte) error {
+func checkCert(c []byte) (error, bool) {
+	fatal := false
 	block, _ := pem.Decode(c)
+	if block == nil {
+		log.Errorln("Bad Certificate:\n'", string(c), "'")
+		fatal = true
+		return errors.New("Error Decoding Certificate"), fatal
+	}
 	cert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
-		return errors.New("Error Parsing Certificate: " + err.Error())
+		fatal = true
+		return errors.New("Error Parsing Certificate: " + err.Error()), fatal
 	}
 	if cert.NotAfter.Unix() < time.Now().Unix() {
 		err = errors.New("Certificate expired: " + cert.NotAfter.Format(config.TimeAndDateLayout))
 		log.Warnf(err.Error())
 	} else {
 		log.Infof("Certificate valid until %s ", cert.NotAfter.Format(config.TimeAndDateLayout))
 	}
-	return err
+	return err, fatal
 }
 
 // checkReload is a helper for the sub-command t3c-check-reload.

diff --git a/cache-config/t3c-apply/torequest/torequest.go b/cache-config/t3c-apply/torequest/torequest.go
@@ -238,11 +238,13 @@ func (r *TrafficOpsReq) checkConfigFile(cfg *ConfigFile, filesAdding []string) e
 	}
 
 	if strings.HasSuffix(cfg.Name, ".cer") {
-		if err := checkCert(cfg.Body); err != nil {
-			r.configFileWarnings[cfg.Name] = append(r.configFileWarnings[cfg.Name], fmt.Sprintln(err))
+		err, fatal := checkCert(cfg.Body)
+		if err != nil {
+			r.configFileWarnings[cfg.Name] = append(r.configFileWarnings[cfg.Name], err.Error())
 		}
-		for _, wrn := range cfg.Warnings {
-			r.configFileWarnings[cfg.Name] = append(r.configFileWarnings[cfg.Name], wrn)
+		r.configFileWarnings[cfg.Name] = append(r.configFileWarnings[cfg.Name], cfg.Warnings...)
+		if fatal {
+			return errors.New(err.Error() + " for: " + cfg.Name)
 		}
 	}