From f6c2225f68fae8494d620dca0fc41b50a0450977 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 26 Feb 2025 13:37:57 +0100 Subject: [PATCH 1/6] check-certificates: catch and ignore import error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hmm... 🤨 When was that runtime error introduced? I *think* it worked before. --- check-certificates.rsc | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index 0907395..94f23a7 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -59,10 +59,12 @@ :local DecryptionFailed true; :foreach PassPhrase in=$CertRenewPass do={ - :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ]; - :if ($Result->"decryption-failures" = 0) do={ - :set DecryptionFailed false; - } + :do { + :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ]; + :if ($Result->"decryption-failures" = 0) do={ + :set DecryptionFailed false; + } + } on-error={ } } $RmFile $CertFileName; From a6d4e7e82cc9870c6cfd1e0ee9724eb6129ce5ab Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 26 Feb 2025 18:03:17 +0100 Subject: [PATCH 2/6] check-certificates: drop dot from type... ... and add it in file name. --- check-certificates.rsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index 94f23a7..20ac2e2 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -50,8 +50,8 @@ :local Return false; - :foreach Type in={ ".pem"; ".p12" } do={ - :local CertFileName ([ $UrlEncode $FetchName ] . $Type); + :foreach Type in={ "pem"; "p12" } do={ + :local CertFileName ([ $UrlEncode $FetchName ] . "." . $Type); :do { /tool/fetch check-certificate=yes-without-crl http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \ ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; From 3d40b4419d47f41edf5059c00c1ab575f49c6da1 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 26 Feb 2025 13:40:12 +0100 Subject: [PATCH 3/6] check-certificates: add more debug output --- check-certificates.rsc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index 20ac2e2..6862015 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -58,10 +58,12 @@ $WaitForFile $CertFileName; :local DecryptionFailed true; - :foreach PassPhrase in=$CertRenewPass do={ + :foreach I,PassPhrase in=$CertRenewPass do={ :do { + $LogPrint debug $ScriptName ("Trying " . $I . ". passphrase... "); :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ]; :if ($Result->"decryption-failures" = 0) do={ + $LogPrint debug $ScriptName ("Success!"); :set DecryptionFailed false; } } on-error={ } From 512c54bd590503af27e754c5c65c34b5307cf9c9 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 26 Feb 2025 13:55:09 +0100 Subject: [PATCH 4/6] check-certificates: ... and even more --- check-certificates.rsc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/check-certificates.rsc b/check-certificates.rsc index 6862015..6dff9ba 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -52,6 +52,9 @@ :foreach Type in={ "pem"; "p12" } do={ :local CertFileName ([ $UrlEncode $FetchName ] . "." . $Type); + $LogPrint debug $ScriptName ("Trying type '" . $Type . "' for '" . $CertName . \ + "' (file '" . $CertFileName . "')..."); + :do { /tool/fetch check-certificate=yes-without-crl http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \ ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; From e833dfcf25175fb1d5c652dcf898c6332ce70404 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 26 Feb 2025 13:51:25 +0100 Subject: [PATCH 5/6] check-certificates: simplify return from function... ... and also break earch on success. --- check-certificates.rsc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index 6dff9ba..5065c33 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -48,8 +48,6 @@ :global UrlEncode; :global WaitForFile; - :local Return false; - :foreach Type in={ "pem"; "p12" } do={ :local CertFileName ([ $UrlEncode $FetchName ] . "." . $Type); $LogPrint debug $ScriptName ("Trying type '" . $Type . "' for '" . $CertName . \ @@ -84,13 +82,13 @@ $CertificateNameByCN [ /certificate/get $CertInChain common-name ]; } - :set Return true; + :return true; } on-error={ $LogPrint debug $ScriptName ("Could not download certificate file '" . $CertFileName . "'."); } } - :return $Return; + :return false; } :local FormatInfo do={ From 14195c51ca381063789ca58c760d70037328e600 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 26 Feb 2025 18:25:58 +0100 Subject: [PATCH 6/6] check-certificates: try PKCS#12 before PEM... MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... as that is more likely to have a private key. Is that true? 🤨 --- check-certificates.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index 5065c33..be8e4df 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -48,7 +48,7 @@ :global UrlEncode; :global WaitForFile; - :foreach Type in={ "pem"; "p12" } do={ + :foreach Type in={ "p12"; "pem" } do={ :local CertFileName ([ $UrlEncode $FetchName ] . "." . $Type); $LogPrint debug $ScriptName ("Trying type '" . $Type . "' for '" . $CertName . \ "' (file '" . $CertFileName . "')...");