From 2588f544ec412e2396239479136ea34ea6b52dab Mon Sep 17 00:00:00 2001
From: Massimiliano Adamo <maxadamo@gmail.com>
Date: Tue, 21 Sep 2021 22:21:18 +0200
Subject: [PATCH] fix wildcard dnsname

---
 main.go | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/main.go b/main.go
index dfce8d0..d1c041d 100644
--- a/main.go
+++ b/main.go
@@ -59,6 +59,7 @@ var (
 	tmpCaDestination          string
 	tmpKeyDestination         string
 	certTmpDir                string
+	wildcardTrue              bool
 	key                       *x509.Certificate
 	cert                      *x509.Certificate
 	httpClient                = &http.Client{Timeout: 10 * time.Second}
@@ -95,10 +96,14 @@ func getUpstreamVersion(url string) string {
 }
 
 // check certificates
-func checkCertificates(dnsname string, certificate string, fullchain string, ca string, key string, days int, fail bool) bool {
+func checkCertificates(dnsname string, certificate string, fullchain string, ca string, key string, days int, wildcard bool, fail bool) bool {
 
 	Seconds := days * 86400
 	daysNumber := time.Now().Local().Add(time.Second * time.Duration(Seconds))
+	modifiedDnsname := dnsname
+	if wildcard == true {
+		modifiedDnsname = fmt.Sprintf("*.%v", dnsname)
+	}
 
 	certPEM, err := ioutil.ReadFile(certificate)
 	if err != nil {
@@ -182,7 +187,7 @@ func checkCertificates(dnsname string, certificate string, fullchain string, ca
 
 	opts := x509.VerifyOptions{
 		Roots:         roots,
-		DNSName:       dnsname,
+		DNSName:       modifiedDnsname,
 		CurrentTime:   daysNumber,
 		Intermediates: x509.NewCertPool(),
 	}
@@ -506,6 +511,7 @@ Options:
 	VaultBaseURL = "https://vault.geant.org/v1"
 	if arguments["--wildcard"] == true {
 		modifiedCertName = fmt.Sprintf("wildcard_%v", CertName)
+		wildcardTrue = true
 		if TeamName == "puppet" {
 			VaultURL = fmt.Sprintf("%v/%v/common/vault_sectigo_ov_wildcard_%v_key", VaultBaseURL, TeamName, CertNameUnderscored)
 			RedisCertURL = fmt.Sprintf("%v/%v:common:redis_sectigo_ov_%v_pem.txt", RedisBaseURL, TeamName, CertNameUnderscored)
@@ -519,6 +525,7 @@ Options:
 		}
 	} else {
 		modifiedCertName = fmt.Sprintf(CertName)
+		wildcardTrue = false
 		VaultURL = fmt.Sprintf("%v/%v/%v/vault_%v_key", VaultBaseURL, TeamName, CertName, CertNameUnderscored)
 		RedisCertURL = fmt.Sprintf("%v/%v:%v:redis_%v_pem.txt", RedisBaseURL, TeamName, CertName, CertNameUnderscored)
 		RedisCAURL = fmt.Sprintf("%v/%v:%v:redis_%v_chain_pem.txt", RedisBaseURL, TeamName, CertName, CertNameUnderscored)
@@ -547,7 +554,7 @@ Options:
 	}
 
 	// check if there is a certificate installed and it is valid
-	existingCert := checkCertificates(CertName, certificateDestination, fullchainDestination, caDestination, keyDestination, Days, false)
+	existingCert := checkCertificates(CertName, certificateDestination, fullchainDestination, caDestination, keyDestination, Days, wildcardTrue, false)
 	existingKey := checkPrivkey(keyDestination, certificateDestination, false)
 	if existingCert == true && existingKey == true {
 		fmt.Printf("%v the certificate is still valid\n", infoMsg)
@@ -564,7 +571,7 @@ Options:
 	WriteToFile(ca, tmpCaDestination, 0644)
 	WriteToFile(privKey, tmpKeyDestination, 0640)
 
-	checkCertificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, true)
+	checkCertificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, wildcardTrue, true)
 	checkPrivkey(tmpKeyDestination, tmpCertificateDestination, true)
 
 	// move certificates in place
-- 
GitLab