mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 19:11:30 +00:00
Shankar
cf632c0af4
Fixes 12 production bugs preventing the full issuance→deployment flow from working with ACME (Pebble/Let's Encrypt) and step-ca issuers: ACME connector (acme.go): - Save orderURI before WaitOrder overwrites it (Go crypto/acme bug) - Add CreateOrderCert fallback via WaitOrder+FetchCert - Remove defer-reset in ValidateConfig that caused nil pointer panic - Add Insecure TLS option for self-signed ACME servers (Pebble) step-ca connector (stepca.go, jwe.go): - Real JWE provisioner key loading + decryption (was using ephemeral keys) - Fix JWT audience (/1.0/sign), sha claim (key fingerprint), kid header - Custom root CA trust via RootCertPath config - Remove hardcoded 90-day validity default (let step-ca decide) NGINX target connector (nginx.go): - Use sh -c for validate/reload commands (shell interpretation) - Use filepath.Dir instead of fragile string slicing - Add private key file writing (agent-mode keys were never deployed) - Make chain_path write conditional Server/service layer: - TriggerRenewalWithActor now creates actual Job records (was no-op) - createDeploymentJobs falls back to DB query when cert.TargetIDs empty - ProcessPendingJobs skips agent-routed deployment jobs - Agent cert pickup path parsing: len(parts)<4 → len(parts)<3 - Health/ready/auth-info endpoints bypass auth middleware - Write timeout 15s→120s for ACME issuance - Cert fingerprint computed on CSR submission Integration test environment (deploy/test/): - 10-phase test script covering Local CA, ACME, step-ca, revocation, discovery, renewal, and API spot checks - Docker Compose with 7 containers (server, agent, postgres, nginx, pebble, challtestsrv, step-ca) on isolated network - TLS verification checks SAN (not just Subject CN) for modern CA compat Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
43 lines
1.2 KiB
Nginx Configuration File
43 lines
1.2 KiB
Nginx Configuration File
# NGINX configuration for certctl test environment.
|
|
# The agent deploys certificates to /etc/nginx/certs/ and reloads NGINX.
|
|
# On startup, NGINX uses a self-signed placeholder so it can boot before any cert is deployed.
|
|
|
|
# Generate a self-signed placeholder on container start (see entrypoint in compose).
|
|
# Once the agent deploys a real cert, it overwrites these files and reloads.
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
# HTTP → redirect to HTTPS (optional, for realism)
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
# HTTPS server — serves whatever cert the agent has deployed
|
|
server {
|
|
listen 443 ssl;
|
|
server_name _;
|
|
|
|
ssl_certificate /etc/nginx/certs/cert.pem;
|
|
ssl_certificate_key /etc/nginx/certs/key.pem;
|
|
|
|
# Modern TLS settings
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
location / {
|
|
default_type text/plain;
|
|
return 200 'certctl test environment — NGINX is serving TLS\n';
|
|
}
|
|
|
|
location /health {
|
|
default_type text/plain;
|
|
return 200 'ok\n';
|
|
}
|
|
}
|
|
}
|