fix: end-to-end certificate lifecycle bugs + integration test environment

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:21:31 +00:00

Fixes 12 production bugs preventing the full issuance→deployment flow
from working with ACME (Pebble/Let's Encrypt) and step-ca issuers:

ACME connector (acme.go):
- Save orderURI before WaitOrder overwrites it (Go crypto/acme bug)
- Add CreateOrderCert fallback via WaitOrder+FetchCert
- Remove defer-reset in ValidateConfig that caused nil pointer panic
- Add Insecure TLS option for self-signed ACME servers (Pebble)

step-ca connector (stepca.go, jwe.go):
- Real JWE provisioner key loading + decryption (was using ephemeral keys)
- Fix JWT audience (/1.0/sign), sha claim (key fingerprint), kid header
- Custom root CA trust via RootCertPath config
- Remove hardcoded 90-day validity default (let step-ca decide)

NGINX target connector (nginx.go):
- Use sh -c for validate/reload commands (shell interpretation)
- Use filepath.Dir instead of fragile string slicing
- Add private key file writing (agent-mode keys were never deployed)
- Make chain_path write conditional

Server/service layer:
- TriggerRenewalWithActor now creates actual Job records (was no-op)
- createDeploymentJobs falls back to DB query when cert.TargetIDs empty
- ProcessPendingJobs skips agent-routed deployment jobs
- Agent cert pickup path parsing: len(parts)<4 → len(parts)<3
- Health/ready/auth-info endpoints bypass auth middleware
- Write timeout 15s→120s for ACME issuance
- Cert fingerprint computed on CSR submission

Integration test environment (deploy/test/):
- 10-phase test script covering Local CA, ACME, step-ca, revocation,
  discovery, renewal, and API spot checks
- Docker Compose with 7 containers (server, agent, postgres, nginx,
  pebble, challtestsrv, step-ca) on isolated network
- TLS verification checks SAN (not just Subject CN) for modern CA compat

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

This commit is contained in:

shankar0123

2026-04-02 17:02:20 -04:00

parent 2238f28610

commit b059ec930f

19 changed files with 2102 additions and 84 deletions

									
										go.mod
									
		+4
		-2
	
												View File
												
				@@ -9,7 +9,10 @@ require (

					github.com/testcontainers/testcontainers-go v0.35.0

				)

				require golang.org/x/crypto v0.31.0

				require (

					golang.org/x/crypto v0.31.0

					software.sslmate.com/src/go-pkcs12 v0.7.0

				)

				require (

					dario.cat/mergo v1.0.0 // indirect

				@@ -63,5 +66,4 @@ require (

					golang.org/x/oauth2 v0.34.0 // indirect

					golang.org/x/sys v0.40.0 // indirect

					gopkg.in/yaml.v3 v3.0.1 // indirect

					software.sslmate.com/src/go-pkcs12 v0.7.0 // indirect

				)