RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[BUGFIX] Fix incorrect docs and Certificate PEM extensions (#1589) 

* add .crt to the PEM extensions scanned for
* fix documentation on the extensions allowed
* add trace logging to the loading process to help debug in the future
pull/1590/head
James Elliott 2021-01-10 22:10:45 +11:00 committed by GitHub
parent 525e08037c
commit 712288555c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/configuration/miscellaneous.md
View File

@ -44,7 +44,7 @@ tls_cert: /config/ssl/cert.pem
This option defines the location of additional certificates to load into the trust chain specifically for Authelia. This option defines the location of additional certificates to load into the trust chain specifically for Authelia.
This currently affects both the SMTP notifier and the LDAP authentication backend. The certificates should all be in the This currently affects both the SMTP notifier and the LDAP authentication backend. The certificates should all be in the
PEM format and end with the extension `.pem` or `.crt`. You can either add the individual certificates public key PEM format and end with the extension `.pem`, `.crt`, or `.cer`. You can either add the individual certificates public key
or the CA public key which signed them (don't add the private key). or the CA public key which signed them (don't add the private key).

15
internal/utils/certificates.go
View File

@ -9,6 +9,7 @@ import (
"strings" "strings"
"github.com/authelia/authelia/internal/configuration/schema" "github.com/authelia/authelia/internal/configuration/schema"
"github.com/authelia/authelia/internal/logging"
) )
// NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool. // NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool.
@ -35,6 +36,10 @@ func NewX509CertPool(directory string, config *schema.Configuration) (certPool *
certPool = x509.NewCertPool() certPool = x509.NewCertPool()
} }
logger := logging.Logger()
logger.Tracef("Starting scan of directory %s for certificates", directory)
if directory != "" { if directory != "" {
certsFileInfo, err := ioutil.ReadDir(directory) certsFileInfo, err := ioutil.ReadDir(directory)
if err != nil { if err != nil {
@ -43,8 +48,12 @@ func NewX509CertPool(directory string, config *schema.Configuration) (certPool *
for _, certFileInfo := range certsFileInfo { for _, certFileInfo := range certsFileInfo {
nameLower := strings.ToLower(certFileInfo.Name()) nameLower := strings.ToLower(certFileInfo.Name())
if !certFileInfo.IsDir() && (strings.HasSuffix(nameLower, ".cer") || strings.HasSuffix(nameLower, ".pem")) { if !certFileInfo.IsDir() && (strings.HasSuffix(nameLower, ".cer") || strings.HasSuffix(nameLower, ".crt") || strings.HasSuffix(nameLower, ".pem")) {
certBytes, err := ioutil.ReadFile(path.Join(directory, certFileInfo.Name())) certPath := path.Join(directory, certFileInfo.Name())
logger.Tracef("Found possible cert %s, attempting to add it to the pool", certPath)
certBytes, err := ioutil.ReadFile(certPath)
if err != nil { if err != nil {
errors = append(errors, fmt.Errorf("could not read certificate %v", err)) errors = append(errors, fmt.Errorf("could not read certificate %v", err))
} else if ok := certPool.AppendCertsFromPEM(certBytes); !ok { } else if ok := certPool.AppendCertsFromPEM(certBytes); !ok {
@ -55,6 +64,8 @@ func NewX509CertPool(directory string, config *schema.Configuration) (certPool *
} }
} }
logger.Tracef("Finished scan of directory %s for certificates", directory)
// Deprecated. Maps deprecated values to the new ones. TODO: Remove in 4.28. // Deprecated. Maps deprecated values to the new ones. TODO: Remove in 4.28.
if config != nil && config.Notifier != nil && config.Notifier.SMTP != nil && config.Notifier.SMTP.TrustedCert != "" { if config != nil && config.Notifier != nil && config.Notifier.SMTP != nil && config.Notifier.SMTP.TrustedCert != "" {
nonFatalErrors = append(nonFatalErrors, fmt.Errorf("defining the trusted cert in the SMTP notifier is deprecated and will be removed in 4.28.0, please use the global certificates_directory instead")) nonFatalErrors = append(nonFatalErrors, fmt.Errorf("defining the trusted cert in the SMTP notifier is deprecated and will be removed in 4.28.0, please use the global certificates_directory instead"))