Fixes for bugs related to rendering certificate templates from defaults and variables.

2025-07-28 21:26:52 +02:00
parent 71412ace5e
commit 9d226df44f
1 changed files with 24 additions and 20 deletions
--- a/ca.go
+++ b/ca.go
@@ -412,8 +412,9 @@ func InitCA() error {
 		NotBefore:             now,
 		NotAfter:              now.Add(validity),
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
-		BasicConstraintsValid: true,
-		IsCA:                  true,
+		BasicConstraintsValid: true, // This is a CA certificate
+		IsCA:                  true, // This is a CA certificate
+		MaxPathLenZero:        true, // Allow issuing end-entity certificates
 	}
 	// Add email if present
 	if caConfig.Email != "" {
@@ -517,6 +518,8 @@ func issueSingleCertificate(def CertificateDefinition) error {
 		NotBefore:             dateIssued,
 		NotAfter:              expires,
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		IsCA:                  false,
+		BasicConstraintsValid: true,
 	}

 	for _, s := range def.SAN {
@@ -584,6 +587,7 @@ Certificate:
 			def.SAN,
 		)
 	}
+
 	caState.UpdateCAStateAfterIssue(
 		caConfig.SerialType,
 		def.Name,
@@ -624,26 +628,26 @@ func ProvisionCertificates(filePath string, overwrite bool, dryRun bool, verbose

 	// Loop through all certificate definitions
 	// to render templates and fill missing fields from defaults
-	for _, def := range certDefs.Certificates {
+	for i := range certDefs.Certificates {
 		// Fill missing fields from defaults, if provided
-		def.FillDefaultValues(certDefs.Defaults)
+		certDefs.Certificates[i].FillDefaultValues(certDefs.Defaults)
 		// Render templates in the definition using the variables map
 		// with added definition name.
 		variables := certDefs.Variables
 		if variables == nil {
 			variables = make(map[string]string)
 		}
-		variables["Name"] = def.Name
-		err = def.RenderTemplates(variables)
+		variables["Name"] = certDefs.Certificates[i].Name
+		err = certDefs.Certificates[i].RenderTemplates(variables)
 		if err != nil {
-			return fmt.Errorf("failed to render templates for certificate %s: %v", def.Name, err)
+			return fmt.Errorf("failed to render templates for certificate %s: %v", certDefs.Certificates[i].Name, err)
 		}
 	}

 	n := len(certDefs.Certificates)
 	// No errors so far, now we can issue certificates
-	for i, def := range certDefs.Certificates {
-		fmt.Printf("[%d/%d] Issuing %s... ", i+1, n, def.Name)
+	for i := range certDefs.Certificates {
+		fmt.Printf("[%d/%d] Issuing %s... ", i+1, n, certDefs.Certificates[i].Name)

 		if dryRun {
 			fmt.Printf("(dry run)\n")
@@ -651,7 +655,7 @@ func ProvisionCertificates(filePath string, overwrite bool, dryRun bool, verbose
 			continue
 		}

-		err = issueSingleCertificate(def)
+		err = issueSingleCertificate(certDefs.Certificates[i])
 		if err != nil {
 			fmt.Printf("error: %v\n", err)
 			errors++