mirror of
https://github.com/outbackdingo/labca.git
synced 2026-01-27 18:19:33 +00:00
85 lines
3.2 KiB
Diff
85 lines
3.2 KiB
Diff
diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
|
|
index 5e8790d20..c7aa8a713 100644
|
|
--- a/cmd/cert-checker/main.go
|
|
+++ b/cmd/cert-checker/main.go
|
|
@@ -110,6 +110,7 @@ type certChecker struct {
|
|
acceptableValidityDurations map[time.Duration]bool
|
|
lints lint.Registry
|
|
logger blog.Logger
|
|
+ skipForbiddenDomains bool
|
|
}
|
|
|
|
func newChecker(saDbMap certDB,
|
|
@@ -120,6 +121,7 @@ func newChecker(saDbMap certDB,
|
|
avd map[time.Duration]bool,
|
|
lints lint.Registry,
|
|
logger blog.Logger,
|
|
+ sfd bool,
|
|
) certChecker {
|
|
precertGetter := func(ctx context.Context, serial string) ([]byte, error) {
|
|
precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial)
|
|
@@ -141,6 +143,7 @@ func newChecker(saDbMap certDB,
|
|
acceptableValidityDurations: avd,
|
|
lints: lints,
|
|
logger: logger,
|
|
+ skipForbiddenDomains: sfd,
|
|
}
|
|
}
|
|
|
|
@@ -438,14 +441,16 @@ func (c *certChecker) checkCert(ctx context.Context, cert *corepb.Certificate) (
|
|
problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
|
|
continue
|
|
}
|
|
- // For defense-in-depth, even if the PA was willing to issue for a name
|
|
- // we double check it against a list of forbidden domains. This way even
|
|
- // if the hostnamePolicyFile malfunctions we will flag the forbidden
|
|
- // domain matches
|
|
- if forbidden, pattern := isForbiddenDomain(name); forbidden {
|
|
- problems = append(problems, fmt.Sprintf(
|
|
- "Policy Authority was willing to issue but domain '%s' matches "+
|
|
- "forbiddenDomains entry %q", name, pattern))
|
|
+ if !c.skipForbiddenDomains {
|
|
+ // For defense-in-depth, even if the PA was willing to issue for a name
|
|
+ // we double check it against a list of forbidden domains. This way even
|
|
+ // if the hostnamePolicyFile malfunctions we will flag the forbidden
|
|
+ // domain matches
|
|
+ if forbidden, pattern := isForbiddenDomain(name); forbidden {
|
|
+ problems = append(problems, fmt.Sprintf(
|
|
+ "Policy Authority was willing to issue but domain '%s' matches "+
|
|
+ "forbiddenDomains entry %q", name, pattern))
|
|
+ }
|
|
}
|
|
}
|
|
for _, name := range parsedCert.IPAddresses {
|
|
@@ -534,9 +539,10 @@ type Config struct {
|
|
|
|
Workers int `validate:"required,min=1"`
|
|
// Deprecated: this is ignored, and cert checker always checks both expired and unexpired.
|
|
- UnexpiredOnly bool
|
|
- BadResultsOnly bool
|
|
- CheckPeriod config.Duration
|
|
+ UnexpiredOnly bool
|
|
+ BadResultsOnly bool
|
|
+ SkipForbiddenDomains bool
|
|
+ CheckPeriod config.Duration
|
|
|
|
// AcceptableValidityDurations is a list of durations which are
|
|
// acceptable for certificates we issue.
|
|
@@ -599,6 +605,8 @@ func main() {
|
|
acceptableValidityDurations[ninetyDays] = true
|
|
}
|
|
|
|
+ skipForbiddenDomains := config.CertChecker.SkipForbiddenDomains
|
|
+
|
|
// Validate PA config and set defaults if needed.
|
|
cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
|
|
cmd.FailOnError(config.PA.CheckIdentifiers(), "Invalid PA configuration")
|
|
@@ -642,6 +650,7 @@ func main() {
|
|
acceptableValidityDurations,
|
|
lints,
|
|
logger,
|
|
+ skipForbiddenDomains,
|
|
)
|
|
fmt.Fprintf(os.Stderr, "# Getting certificates issued in the last %s\n", config.CertChecker.CheckPeriod)
|
|
|