Create backup file during migration from ACME V1 to ACME V2

2018-04-16 19:34:04 +02:00 · 2018-04-16 19:34:04 +02:00 · a2e03e3bd0
commit a2e03e3bd0
parent f0589b310f
5 changed files with 96 additions and 22 deletions
--- a/provider/acme/local_store.go
+++ b/provider/acme/local_store.go
@ -52,6 +52,7 @@ func (s *LocalStore) get() (*StoredData, error) {
 					return nil, err
 				}
 			}
+
 			// Check if ACME Account is in ACME V1 format
 			if s.storedData.Account != nil && s.storedData.Account.Registration != nil {
 				isOldRegistration, err := regexp.MatchString(RegistrationURLPathV1Regexp, s.storedData.Account.Registration.URI)
@ -63,6 +64,21 @@ func (s *LocalStore) get() (*StoredData, error) {
 					s.SaveDataChan <- s.storedData
 				}
 			}
+
+			// Delete all certificates with no value
+			var certificates []*Certificate
+			for _, certificate := range s.storedData.Certificates {
+				if len(certificate.Certificate) == 0 || len(certificate.Key) == 0 {
+					log.Debugf("Delete certificate %v for domains %v which have no value.", certificate, certificate.Domain.ToStrArray())
+					continue
+				}
+				certificates = append(certificates, certificate)
+			}
+
+			if len(certificates) < len(s.storedData.Certificates) {
+				s.storedData.Certificates = certificates
+				s.SaveDataChan <- s.storedData
+			}
 		}
 	}

--- a/provider/acme/provider.go
+++ b/provider/acme/provider.go
@ -41,7 +41,7 @@ type Configuration struct {
 	Storage       string         `description:"Storage to use."`
 	EntryPoint    string         `description:"EntryPoint to use."`
 	OnHostRule    bool           `description:"Enable certificate generation on frontends Host rules."`
-	OnDemand      bool           `description:"Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` //deprecated
+	OnDemand      bool           `description:"Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` // Deprecated
 	DNSChallenge  *DNSChallenge  `description:"Activate DNS-01 Challenge"`
 	HTTPChallenge *HTTPChallenge `description:"Activate HTTP-01 Challenge"`
 	Domains       []types.Domain `description:"CN and SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='*.main.net'. No SANs for wildcards domain. Wildcard domains only accepted with DNSChallenge"`
@ -225,11 +225,17 @@ func (p *Provider) resolveCertificate(domain types.Domain, domainFromConfigurati
 	}

 	bundle := true
+
 	certificate, failures := client.ObtainCertificate(uncheckedDomains, bundle, nil, OSCPMustStaple)
 	if len(failures) > 0 {
 		return nil, fmt.Errorf("cannot obtain certificates %+v", failures)
 	}
-	log.Debugf("Certificates obtained for domain %+v", uncheckedDomains)
+
+	if len(certificate.Certificate) == 0 || len(certificate.PrivateKey) == 0 {
+		return nil, fmt.Errorf("domains %v generate certificate with no value: %v", uncheckedDomains, certificate)
+	}
+	log.Debugf("Certificates obtained for domains %+v", uncheckedDomains)
+
 	if len(uncheckedDomains) > 1 {
 		domain = types.Domain{Main: uncheckedDomains[0], SANs: uncheckedDomains[1:]}
 	} else {
@ -446,16 +452,25 @@ func (p *Provider) renewCertificates() {
 				log.Infof("Error renewing certificate from LE : %+v, %v", certificate.Domain, err)
 				continue
 			}
+
 			log.Infof("Renewing certificate from LE : %+v", certificate.Domain)
+
 			renewedCert, err := client.RenewCertificate(acme.CertificateResource{
 				Domain:      certificate.Domain.Main,
 				PrivateKey:  certificate.Key,
 				Certificate: certificate.Certificate,
 			}, true, OSCPMustStaple)
+
 			if err != nil {
 				log.Errorf("Error renewing certificate from LE: %v, %v", certificate.Domain, err)
 				continue
 			}
+
+			if len(renewedCert.Certificate) == 0 || len(renewedCert.PrivateKey) == 0 {
+				log.Errorf("domains %v renew certificate with no value: %v", certificate.Domain.ToStrArray(), certificate)
+				continue
+			}
+
 			p.addCertificateForDomain(certificate.Domain, renewedCert.Certificate, renewedCert.PrivateKey)
 		}
 	}
@ -473,6 +488,7 @@ func (p *Provider) AddRoutes(router *mux.Router) {
 					log.Debugf("Unable to split host and port: %v. Fallback to request host.", err)
 					domain = req.Host
 				}
+
 				tokenValue := getTokenValue(token, domain, p.Store)
 				if len(tokenValue) > 0 {
 					rw.WriteHeader(http.StatusOK)