Skip to content
This repository has been archived by the owner on Jun 25, 2024. It is now read-only.

Cert expired checker #4

Open
wants to merge 3 commits into
base: volt-certificate-provider
Choose a base branch
from
Open

Cert expired checker #4

wants to merge 3 commits into from

Conversation

orbitalturtle
Copy link

Pull Request Checklist

  • If this is your first time contributing, we recommend you read the Code
    Contribution Guidelines
  • All changes are Go version 1.12 compliant
  • The code being submitted is commented according to Code Documentation and Commenting
  • For new code: Code is accompanied by tests which exercise both
    the positive and negative (error paths) conditions (if applicable)
  • For bug fixes: Code is accompanied by new tests which trigger
    the bug being fixed to prevent regressions
  • Any new logging statements use an appropriate subsystem and
    logging level
  • Code has been formatted with go fmt
  • Protobuf files (lnrpc/**/*.proto) have been formatted with
    make rpc-format and compiled with make rpc
  • New configuration flags have been added to sample-lnd.conf
  • For code and documentation: lines are wrapped at 80 characters
    (the tab character should be counted as 8 characters, not 4, as some IDEs do
    per default)
  • Running make check does not fail any tests
  • Running go vet does not report any issues
  • Running make lint does not report any new issues that did not
    already exist
  • All commits build properly and pass tests. Only in exceptional
    cases it can be justifiable to violate this condition. In that case, the
    reason should be stated in the commit message.
  • Commits have a logical structure according to Ideal Git Commit Structure

@orbitalturtle orbitalturtle mentioned this pull request Apr 1, 2021
Open
gkrizek
gkrizek reviewed Apr 3, 2021
View reviewed changes
Copy link
Member

@gkrizek gkrizek left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@orbitalturtle This looks awesome and I love how you reformatted the ZeroSSL service. Few comments for the initial review. I can start testing once we straighten those out.

Also looks like it could use a make fmt

lnd.go Outdated
func CheckForExpiredCert(certprovider certprovider.CertProvider, certId string) bool {
cert, err := certprovider.GetCert(certId)
if err != nil {
fmt.Errorf("error retrieving ZeroSSL certificate: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a return here? Maybe if there's an error return false

lnd.go Outdated

// CheckForExpiredCert finds whether the TLS certificate is expiring soon.
func CheckForExpiredCert(certprovider certprovider.CertProvider, certId string) bool {
cert, err := certprovider.GetCert(certId)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting choice calling to ZeroSSL to check the expiration date. I actually didn't even think about that. My approach would have been to read the tls.cert from disk and check it's expiration date from that. What's your opinion on one versus the other? I think I'm slightly worried that this could get out of step with what the API returns and what the certificate actually is. That might be a super rare case, but could be a crazy happening nonetheless.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ohh that's a good point. Let's read from disk to be safe. Also just in terms of the API potentially going down sometimes and whatnot

lnd.go Outdated
keyBytes, err = lnencrypt.DecryptPayloadFromReader(reader, activeChainControl.KeyRing)
if err != nil {
ltndLog.Error(err)
// return err
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see you commented out the error, should we return errors from this function?

lnd.go Outdated
if err != nil {
ltndLog.Error("Failed to revoke temporary certifiate:")
ltndLog.Error(err)
}
// Switch the server's TLS certificate to the persisntent one
// Switch the server's TLS certificate to the persistent one
err = tlsReloader.AttemptReload(certBytes, keyBytes)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this bit of code be replaced by the new DeleteAndRegenerateCert function? I'm not exactly sure but looks like maybe it can?

@orbitalturtle
Copy link
Author

@gkrizek Thanks for the review! I'll fix those things up.

Are you able to give me an example output of the full JSON that the download endpoint gives (https://zerossl.com/documentation/api/download-certificate-inline/)? That'll actually help with one of these changes

@gkrizek
Copy link
Member

gkrizek commented Apr 5, 2021

Sorry! Forgot about this part. Here's an example response:

{
    "certificate.crt": "-----BEGIN CERTIFICATE-----\nMIIGjzCCBHegAwIBAgIRAK8ncTZjqzI7SXhMESi0i5AwDQYJKoZIhvcNAQEMBQAw\nSzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T\nU0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMTA0MDQwMDAwMDBaFw0y\nMTA3MDMyMzU5NTlaMCsxKTAnBgNVBAMTIHRvZGVsZXRlLm0uc3RhZ2luZy52b2x0\nYWdlYXBwLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukiA1Vcn\nFzhucGo3/UBuSQ+EwAqPoNWatqlQY4fqaYH9IkupEk6kHo5i/3yEFkldcNX8vlFO\n5aqe5jxAHywvs9J91XrVpnjSemVmT3PszjycJDgZwGP+w47qfftZGwA4KLW0iBPs\nKj8b4pOmqToihrzzzqhaU79sBMB++bIHLAjvb70pMleCLWZ7UpQUW++hNn+kIpNr\nRm3z7Hk0TKTIMi7ieUSNqbX7lFQ3pBJPAfj0vzSSDrxGHnV1yMleGTl3fZfqlMaE\nPwOqdZxdgxj+Op/cAcYaBcnCfWF9EnsV1jc4gtMd/6gVkX2wbLtGckP203rgdnoH\nBO8eFdZzTwKqXwIDAQABo4ICjDCCAogwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLe\nXwo+3LWGhqYwHQYDVR0OBBYEFNNIYzH8hHcuY8N05sDaD+fLi3uuMA4GA1UdDwEB\n/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF\nBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0\ndHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6\nMEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVy\nb1NTTFJTQURvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6\nLy96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHy\nAPAAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXidn6snAAAE\nAwBHMEUCICX0kRZLIr7wBO3g6APkHyei6qvufh5o+MZsiHkrscxsAiEAsGbGK2qf\n/FicbdFCDAO9IE+V2YwDAcVppYclbrMKSXoAdgCUILwejtWNbIhzH4KLIiwN0dpN\nXmxPlD1h204vWE2iwgAAAXidn6sGAAAEAwBHMEUCIQDgOeDlvC/DaMZ/JLprZRLA\nfRXPfj66C7r+k8tPrZkKAwIgLyr5lbFzBpwTYfyxHw1om8HV5qdZz55OHht9aRQi\nsnUwKwYDVR0RBCQwIoIgdG9kZWxldGUubS5zdGFnaW5nLnZvbHRhZ2VhcHAuaW8w\nDQYJKoZIhvcNAQEMBQADggIBAEo1wpkKTt8Nq4NJT1S0K311uvlzJCC0n3QvAaRa\nJ+pY1uvbvmre4n34epD4zm7iuv0J4kDyV8fGdPQ/aZy8BsoPi6msdSi1Nw2wCAKv\nfXcFuMkMQZxXrKDq7BDHWVIG12QEn67iZljq7xrfVZbvXm3QjG3QalFO3WvbRX0N\nXT0o1k2+c+ZhZy2D7mTOIiUmE+05O4e3YqY5ZMyJqZy2MClgXxnbLN/M+H8x2Szl\n9wh4R6iPSvwHdCm/chonaKCw5w9qfF5RMYlN5pMJFDia/JNe6UvKk6kU/e/LlT12\nxMizEKsnrbWwivcODsm4TDetxWA1yYog8TkV3VRprAVdBI/KanBQVjn4IGwTRmHF\nRZsR3SE4JCyctUaGwf4HYJ+/lkYEvlYezCveOUheUJ6auA3N6dai3EO8XfR9EMcJ\nmkAkt87xHDSvkFpHo471XFv1JQPrmyp00pq4wW3jAqsB7sD7kyJ4sYYS7f71dp05\nS4bGMlkXIhU2IPhVCKTWZQPKnMZ7gKFXlOuCfqDtkXMToTmyeLN29C05FmkLPPFt\nYp5g/VmuJLVJCw2j+I0FNaErjwji+CDc8rJo2jIctzDq7CouafqSqD2x9+a0S8Yj\nKiXCxw16VMs6S+DoKY64y4wzbDb1XOQ/TXnf14T5u5VlbhAIm3FfVhUDbTHVUp23\nn7SH\n-----END CERTIFICATE-----\n",
    "ca_bundle.crt": "-----BEGIN CERTIFICATE-----\nMIIG1TCCBL2gAwIBAgIQbFWr29AHksedBwzYEZ7WvzANBgkqhkiG9w0BAQwFADCB\niDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl\ncnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV\nBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAw\nMTMwMDAwMDAwWhcNMzAwMTI5MjM1OTU5WjBLMQswCQYDVQQGEwJBVDEQMA4GA1UE\nChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBSU0EgRG9tYWluIFNlY3VyZSBT\naXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhmlzfqO1Mdgj\n4W3dpBPTVBX1AuvcAyG1fl0dUnw/MeueCWzRWTheZ35LVo91kLI3DDVaZKW+TBAs\nJBjEbYmMwcWSTWYCg5334SF0+ctDAsFxsX+rTDh9kSrG/4mp6OShubLaEIUJiZo4\nt873TuSd0Wj5DWt3DtpAG8T35l/v+xrN8ub8PSSoX5Vkgw+jWf4KQtNvUFLDq8mF\nWhUnPL6jHAADXpvs4lTNYwOtx9yQtbpxwSt7QJY1+ICrmRJB6BuKRt/jfDJF9Jsc\nRQVlHIxQdKAJl7oaVnXgDkqtk2qddd3kCDXd74gv813G91z7CjsGyJ93oJIlNS3U\ngFbD6V54JMgZ3rSmotYbz98oZxX7MKbtCm1aJ/q+hTv2YK1yMxrnfcieKmOYBbFD\nhnW5O6RMA703dBK92j6XRN2EttLkQuujZgy+jXRKtaWMIlkNkWJmOiHmErQngHvt\niNkIcjJumq1ddFX4iaTI40a6zgvIBtxFeDs2RfcaH73er7ctNUUqgQT5rFgJhMmF\nx76rQgB5OZUkodb5k2ex7P+Gu4J86bS15094UuYcV09hVeknmTh5Ex9CBKipLS2W\n2wKBakf+aVYnNCU6S0nASqt2xrZpGC1v7v6DhuepyyJtn3qSV2PoBiU5Sql+aARp\nwUibQMGm44gjyNDqDlVp+ShLQlUH9x8CAwEAAaOCAXUwggFxMB8GA1UdIwQYMBaA\nFFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBTI2XhootkZaNU9ct5fCj7c\ntYaGpjAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUE\nFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIgYDVR0gBBswGTANBgsrBgEEAbIxAQIC\nTjAIBgZngQwBAgEwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1\nc3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYG\nCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu\nY29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRw\nOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQAVDwoIzQDV\nercT0eYqZjBNJ8VNWwVFlQOtZERqn5iWnEVaLZZdzxlbvz2Fx0ExUNuUEgYkIVM4\nYocKkCQ7hO5noicoq/DrEYH5IuNcuW1I8JJZ9DLuB1fYvIHlZ2JG46iNbVKA3ygA\nEz86RvDQlt2C494qqPVItRjrz9YlJEGT0DrttyApq0YLFDzf+Z1pkMhh7c+7fXeJ\nqmIhfJpduKc8HEQkYQQShen426S3H0JrIAbKcBCiyYFuOhfyvuwVCFDfFvrjADjd\n4jX1uQXd161IyFRbm89s2Oj5oU1wDYz5sx+hoCuh6lSs+/uPuWomIq3y1GDFNafW\n+LsHBU16lQo5Q2yh25laQsKRgyPmMpHJ98edm6y2sHUabASmRHxvGiuwwE25aDU0\n2SAeepyImJ2CzB80YG7WxlynHqNhpE7xfC7PzQlLgmfEHdU+tHFeQazRQnrFkW2W\nkqRGIq7cKRnyypvjPMkjeiV9lRdAM9fSJvsB3svUuu1coIG1xxI1yegoGM4r5QP4\nRGIVvYaiI76C0djoSbQ/dkIUUXQuB8AL5jyH34g3BZaaXyvpmnV4ilppMXVAnAYG\nON51WhJ6W0xNdNJwzYASZYH+tmCWI+N60Gv2NNMGHwMZ7e9bXgzUCZH5FaBFDGR5\nS9VWqHB73Q+OyIVvIbKYcSc2w/aSuFKGSA==\n-----END CERTIFICATE-----\n"
}

@orbitalturtle orbitalturtle force-pushed the cert-expired-checker branch from 303ec1e to dbc68eb Compare April 8, 2021 02:05
@orbitalturtle orbitalturtle requested a review from gkrizek April 8, 2021 02:07
@orbitalturtle
Copy link
Author

@gkrizek Here's a refreshed version! I believe most of the new code is test-related

@gkrizek
Copy link
Member

gkrizek commented Apr 8, 2021

Looking over it again I think this look good. I'll test this soon too. Thanks!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gkrizek gkrizek Awaiting requested review from gkrizek

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@orbitalturtle @gkrizek