feat: wildcard and sans certificates #89
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Write Redis keys for certificate SAN as well.
Notify applications when the TLS certificate(s) for some names has changed.
Publish certificate-changed event when a custom TLS certificate has been uploaded.
Change the get-certificate output to return a list of certificates for the given FQDN. The list is sorted by decreasing relevance, so the first item has the higher relevance. This is a list of relevance factors, from most important to less important: - custom certificate with wildcard match - custom certificate with exact name match - internal (ACME) certificate with wildcard match - default internal certificate with exact name match - internal certificate with exact name match The match occurs in both the certificate subject and SAN extension. If two certificates score the same relevance the order depends on the underlying storage (custom certs or acme.json). If no match is found, the self-signed certificate is returned. Expiration date is not considered.
There was a problem hiding this comment.
PR Overview
This PR adds support for certificates with Subject Alternative Names (SAN) and wildcard entries. It introduces a new event (certificate-changed), refactors the get-certificate action to handle multiple certificate matching rules and scores, and updates the certificate helper module with cryptography dependency support.
Reviewed Changes
| File | Description |
|---|---|
| imageroot/actions/upload-certificate/30certificate_changed | Adds a new script to notify certificate-changed events via Redis publish. |
| imageroot/actions/get-certificate/20readconfig | Refactors certificate matching logic, introduces iterators for custom and ACME certificates, and sorts matches based on relevance. |
| imageroot/pypkg/cert_helpers.py | Updates the utility to extract certified names from certificates using the cryptography module. |
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
imageroot/pypkg/cert_helpers.py:19
- [nitpick] Consider updating the type hint from 'bytearray' to 'bytes' since certificate data is typically handled as bytes.
def extract_certified_names(cert_data : bytearray) -> set:
Comment on lines
+66
to
+69
| with open(cert_path, 'rb') as f: | ||
| bcert = f.read() | ||
| with open(f"custom_certificates/{main}.key", "rb") as f: | ||
| bkey = f.read() |
There was a problem hiding this comment.
Consider adding error handling in case the corresponding key file does not exist to prevent runtime exceptions during certificate loading.
Suggested change
| with open(cert_path, 'rb') as f: | |
| bcert = f.read() | |
| with open(f"custom_certificates/{main}.key", "rb") as f: | |
| bkey = f.read() | |
| try: | |
| with open(cert_path, 'rb') as f: | |
| bcert = f.read() | |
| with open(f"custom_certificates/{main}.key", "rb") as f: | |
| bkey = f.read() | |
| except FileNotFoundError as e: | |
| print(f"Error: {e}", file=sys.stderr) | |
| continue |
Copilot is powered by AI, so mistakes are possible. Review output carefully before use.
Consider a wildcard hostname like *.example.net valid for certificate actions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for certificate with SANs, wildcard included.
certificate-updatedis retained for full backward compatibility.certificate-changedthat is notified when a custom certificate is uploaded, or obtained/renewed by ACME. The new event includes a full list of certificate names: applications that subscribe it can match their host name(s) with the list of names in the event payload.get-certificateresponse to include a list of certificates that match the requested FQDN. The list is sorted by decreasing relevance, so a client can safely assume thatcertificates[0]is the best option available.Relevance rules are (decreasing values):
If no match is found, the self-signed certificate is returned.
The use of Redis keys is deprecated and a log message is printed when they are set. In future releases the
export-certificatescript could be removed to avoid publishing the certificate private key in Redis.Refs NethServer/dev#7004
See also https://github.com/NethServer/ns8-core/tree/feat-7004