From 712288555c12043862debb833a0758284d30742a Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sun, 10 Jan 2021 22:10:45 +1100 Subject: [PATCH] [BUGFIX] Fix incorrect docs and Certificate PEM extensions (#1589) * add .crt to the PEM extensions scanned for * fix documentation on the extensions allowed * add trace logging to the loading process to help debug in the future --- docs/configuration/miscellaneous.md | 2 +- internal/utils/certificates.go | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/docs/configuration/miscellaneous.md b/docs/configuration/miscellaneous.md index 6b8ab542c..773491aa1 100644 --- a/docs/configuration/miscellaneous.md +++ b/docs/configuration/miscellaneous.md @@ -44,7 +44,7 @@ tls_cert: /config/ssl/cert.pem This option defines the location of additional certificates to load into the trust chain specifically for Authelia. This currently affects both the SMTP notifier and the LDAP authentication backend. The certificates should all be in the -PEM format and end with the extension `.pem` or `.crt`. You can either add the individual certificates public key +PEM format and end with the extension `.pem`, `.crt`, or `.cer`. You can either add the individual certificates public key or the CA public key which signed them (don't add the private key). diff --git a/internal/utils/certificates.go b/internal/utils/certificates.go index a7d4be7f8..251528e4a 100644 --- a/internal/utils/certificates.go +++ b/internal/utils/certificates.go @@ -9,6 +9,7 @@ import ( "strings" "github.com/authelia/authelia/internal/configuration/schema" + "github.com/authelia/authelia/internal/logging" ) // NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool. @@ -35,6 +36,10 @@ func NewX509CertPool(directory string, config *schema.Configuration) (certPool * certPool = x509.NewCertPool() } + logger := logging.Logger() + + logger.Tracef("Starting scan of directory %s for certificates", directory) + if directory != "" { certsFileInfo, err := ioutil.ReadDir(directory) if err != nil { @@ -43,8 +48,12 @@ func NewX509CertPool(directory string, config *schema.Configuration) (certPool * for _, certFileInfo := range certsFileInfo { nameLower := strings.ToLower(certFileInfo.Name()) - if !certFileInfo.IsDir() && (strings.HasSuffix(nameLower, ".cer") || strings.HasSuffix(nameLower, ".pem")) { - certBytes, err := ioutil.ReadFile(path.Join(directory, certFileInfo.Name())) + if !certFileInfo.IsDir() && (strings.HasSuffix(nameLower, ".cer") || strings.HasSuffix(nameLower, ".crt") || strings.HasSuffix(nameLower, ".pem")) { + certPath := path.Join(directory, certFileInfo.Name()) + + logger.Tracef("Found possible cert %s, attempting to add it to the pool", certPath) + + certBytes, err := ioutil.ReadFile(certPath) if err != nil { errors = append(errors, fmt.Errorf("could not read certificate %v", err)) } else if ok := certPool.AppendCertsFromPEM(certBytes); !ok { @@ -55,6 +64,8 @@ func NewX509CertPool(directory string, config *schema.Configuration) (certPool * } } + logger.Tracef("Finished scan of directory %s for certificates", directory) + // Deprecated. Maps deprecated values to the new ones. TODO: Remove in 4.28. if config != nil && config.Notifier != nil && config.Notifier.SMTP != nil && config.Notifier.SMTP.TrustedCert != "" { nonFatalErrors = append(nonFatalErrors, fmt.Errorf("defining the trusted cert in the SMTP notifier is deprecated and will be removed in 4.28.0, please use the global certificates_directory instead"))