mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 12:11:30 +00:00
shankar0123
b059ec930f
Fixes 12 production bugs preventing the full issuance→deployment flow from working with ACME (Pebble/Let's Encrypt) and step-ca issuers: ACME connector (acme.go): - Save orderURI before WaitOrder overwrites it (Go crypto/acme bug) - Add CreateOrderCert fallback via WaitOrder+FetchCert - Remove defer-reset in ValidateConfig that caused nil pointer panic - Add Insecure TLS option for self-signed ACME servers (Pebble) step-ca connector (stepca.go, jwe.go): - Real JWE provisioner key loading + decryption (was using ephemeral keys) - Fix JWT audience (/1.0/sign), sha claim (key fingerprint), kid header - Custom root CA trust via RootCertPath config - Remove hardcoded 90-day validity default (let step-ca decide) NGINX target connector (nginx.go): - Use sh -c for validate/reload commands (shell interpretation) - Use filepath.Dir instead of fragile string slicing - Add private key file writing (agent-mode keys were never deployed) - Make chain_path write conditional Server/service layer: - TriggerRenewalWithActor now creates actual Job records (was no-op) - createDeploymentJobs falls back to DB query when cert.TargetIDs empty - ProcessPendingJobs skips agent-routed deployment jobs - Agent cert pickup path parsing: len(parts)<4 → len(parts)<3 - Health/ready/auth-info endpoints bypass auth middleware - Write timeout 15s→120s for ACME issuance - Cert fingerprint computed on CSR submission Integration test environment (deploy/test/): - 10-phase test script covering Local CA, ACME, step-ca, revocation, discovery, renewal, and API spot checks - Docker Compose with 7 containers (server, agent, postgres, nginx, pebble, challtestsrv, step-ca) on isolated network - TLS verification checks SAN (not just Subject CN) for modern CA compat Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
28 lines
1010 B
Bash
Executable File
28 lines
1010 B
Bash
Executable File
#!/bin/sh
|
|
# Generate a self-signed placeholder certificate so NGINX can boot
|
|
# before the certctl agent deploys a real certificate.
|
|
# Once the agent deploys, it overwrites these files and reloads NGINX.
|
|
|
|
CERT_DIR="/etc/nginx/certs"
|
|
mkdir -p "$CERT_DIR"
|
|
|
|
# Make cert directory world-writable so the certctl-agent container
|
|
# (which shares this volume) can overwrite the placeholder certs.
|
|
chmod 777 "$CERT_DIR"
|
|
|
|
if [ ! -f "$CERT_DIR/cert.pem" ]; then
|
|
echo "Generating self-signed placeholder certificate..."
|
|
apk add --no-cache openssl > /dev/null 2>&1
|
|
openssl req -x509 -nodes -days 1 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
|
|
-keyout "$CERT_DIR/key.pem" \
|
|
-out "$CERT_DIR/cert.pem" \
|
|
-subj "/CN=placeholder.certctl.test" \
|
|
2>/dev/null
|
|
# Make placeholder certs writable by the agent container
|
|
chmod 666 "$CERT_DIR/cert.pem" "$CERT_DIR/key.pem"
|
|
echo "Placeholder certificate generated."
|
|
fi
|
|
|
|
# Start NGINX in foreground
|
|
exec nginx -g "daemon off;"
|