Skip to content

Commit a15e663

Browse files
webprofusion-chriscwebprofusion-chrisc
committed
Skip Ari checks if cert expired or revoked
1 parent c3a8ca7 commit a15e663

File tree

1 file changed

+60
-52
lines changed

1 file changed

+60
-52
lines changed

src/Certify.Core/Management/CertifyManager/CertifyManager.Maintenance.cs

Lines changed: 60 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -241,7 +241,7 @@ private async Task PerformCertificateStatusChecks(CancellationToken cancelToken,
241241
}
242242
else
243243
{
244-
if (ocspCheck != Models.Certify.Models.CertificateStatusType.TryLater)
244+
if (ocspCheck != Models.Certify.Models.CertificateStatusType.TryLater && ocspCheck != Models.Certify.Models.CertificateStatusType.OcspNotSupported)
245245
{
246246
completedOcspUpdateChecks.Add(item.Id);
247247
}
@@ -271,88 +271,96 @@ private async Task PerformCertificateStatusChecks(CancellationToken cancelToken,
271271
break;
272272
}
273273

274-
try
274+
if (item.CertificateRevoked || item.DateExpiry < DateTimeOffset.UtcNow)
275275
{
276-
var caAccount = await GetAccountDetails(item, allowFailover: false, isResumedOrder: true);
277-
var provider = await GetACMEProvider(item, caAccount);
278-
279-
if (provider != null)
276+
// skip items that are already revoked or expired
277+
_serviceLog.Warning("Skipping renewal info check for item which is no longer valid: {itemName}", item.Name);
278+
}
279+
else
280+
{
281+
try
280282
{
281-
var providerKey = provider.GetAcmeBaseURI();
282-
directoryInfoCache.TryGetValue(providerKey, out var directoryInfo);
283+
var caAccount = await GetAccountDetails(item, allowFailover: false, isResumedOrder: true);
284+
var provider = await GetACMEProvider(item, caAccount);
283285

284-
if (directoryInfo == null)
286+
if (provider != null)
285287
{
286-
directoryInfo = await provider?.GetAcmeDirectory();
288+
var providerKey = provider.GetAcmeBaseURI();
289+
directoryInfoCache.TryGetValue(providerKey, out var directoryInfo);
287290

288-
if (directoryInfo != null && directoryInfo.NewAccount != null)
291+
if (directoryInfo == null)
289292
{
290-
try
293+
directoryInfo = await provider?.GetAcmeDirectory();
294+
295+
if (directoryInfo != null && directoryInfo.NewAccount != null)
291296
{
292-
directoryInfoCache.Add(providerKey, directoryInfo);
297+
try
298+
{
299+
directoryInfoCache.Add(providerKey, directoryInfo);
300+
}
301+
catch { }
293302
}
294-
catch { }
295303
}
296-
}
297-
298-
if (directoryInfo?.RenewalInfo != null && !string.IsNullOrWhiteSpace(item.CertificateThumbprintHash))
299-
{
300-
_serviceLog.Verbose($"Checking renewal info for {item.Name}");
301304

302-
if (item.ARICertificateId != null && !item.ARICertificateId.Contains("."))
305+
if (directoryInfo?.RenewalInfo != null && !string.IsNullOrWhiteSpace(item.CertificateThumbprintHash))
303306
{
304-
// ARI certificate ID not current format, will need to be recomputed.
305-
item.ARICertificateId = null;
306-
}
307+
_serviceLog.Verbose($"Checking renewal info for {item.Name}");
308+
309+
if (item.ARICertificateId != null && !item.ARICertificateId.Contains("."))
310+
{
311+
// ARI certificate ID not current format, will need to be recomputed.
312+
item.ARICertificateId = null;
313+
}
307314

308315
#if NET9_0_OR_GREATER
309316
var x509Cert2 = System.Security.Cryptography.X509Certificates.X509CertificateLoader.LoadPkcs12FromFile(item.CertificatePath, await GetPfxPassword(item));
310317
#else
311-
var x509Cert2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(item.CertificatePath), await GetPfxPassword(item));
318+
var x509Cert2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(File.ReadAllBytes(item.CertificatePath), await GetPfxPassword(item));
312319
#endif
313-
var ariCertId = item.ARICertificateId ?? Certify.Shared.Core.Utils.PKI.CertUtils.GetARICertIdBase64(x509Cert2);
314-
var info = await provider.GetRenewalInfo(ariCertId);
320+
var ariCertId = item.ARICertificateId ?? Certify.Shared.Core.Utils.PKI.CertUtils.GetARICertIdBase64(x509Cert2);
321+
var info = await provider.GetRenewalInfo(ariCertId);
315322

316-
var nextRenewal = ManagedCertificate.CalculateNextRenewalAttempt(item, CoreAppSettings.Current.RenewalIntervalDays, CoreAppSettings.Current.RenewalIntervalMode ?? RenewalIntervalModes.DaysAfterLastRenewal);
323+
var nextRenewal = ManagedCertificate.CalculateNextRenewalAttempt(item, CoreAppSettings.Current.RenewalIntervalDays, CoreAppSettings.Current.RenewalIntervalMode ?? RenewalIntervalModes.DaysAfterLastRenewal);
317324

318-
if (info != null && nextRenewal?.DateNextRenewalAttempt != null)
319-
{
320-
// if planned next renewal is beyond the suggested window, set new scheduled renewal date. This allows the user to prefer their own earlier renewal but lets the CA suggest that an even earlier renewal is required (e.g. revocation)
321-
// in the future would could add a pref for the user to "Let the CA decide when best to renew" in order to more strictly keep the renewal within the "suggested" window.
322-
if (nextRenewal.DateNextRenewalAttempt > info.SuggestedWindow?.Start || nextRenewal?.DateNextRenewalAttempt > info.SuggestedWindow?.End)
325+
if (info != null && nextRenewal?.DateNextRenewalAttempt != null)
323326
{
324-
var dateSpan = info.SuggestedWindow.End - info.SuggestedWindow.Start;
325-
var randomMinsInSlot = new Random().Next((int)dateSpan.Value.TotalMinutes);
326-
327-
var scheduledRenewalDate = info.SuggestedWindow?.Start.Value.AddMinutes(randomMinsInSlot) ?? nextRenewal.DateNextRenewalAttempt;
328-
329-
if (scheduledRenewalDate.HasValue)
327+
// if planned next renewal is beyond the suggested window, set new scheduled renewal date. This allows the user to prefer their own earlier renewal but lets the CA suggest that an even earlier renewal is required (e.g. revocation)
328+
// in the future would could add a pref for the user to "Let the CA decide when best to renew" in order to more strictly keep the renewal within the "suggested" window.
329+
if (nextRenewal.DateNextRenewalAttempt > info.SuggestedWindow?.Start || nextRenewal?.DateNextRenewalAttempt > info.SuggestedWindow?.End)
330330
{
331-
_serviceLog.Information($"Random renewal date {scheduledRenewalDate} within ARI renewal window [{info.SuggestedWindow?.Start} to {info.SuggestedWindow?.End}] has been set for {item.Name} ");
331+
var dateSpan = info.SuggestedWindow.End - info.SuggestedWindow.Start;
332+
var randomMinsInSlot = new Random().Next((int)dateSpan.Value.TotalMinutes);
332333

333-
itemsViaARI.Add(item.Id, scheduledRenewalDate.Value);
334+
var scheduledRenewalDate = info.SuggestedWindow?.Start.Value.AddMinutes(randomMinsInSlot) ?? nextRenewal.DateNextRenewalAttempt;
334335

335-
if (scheduledRenewalDate < DateTimeOffset.Now)
336+
if (scheduledRenewalDate.HasValue)
336337
{
337-
// item requires immediate renewal
338-
if (!itemsWhichRequireRenewal.Contains(item.Id))
338+
_serviceLog.Information($"Random renewal date {scheduledRenewalDate} within ARI renewal window [{info.SuggestedWindow?.Start} to {info.SuggestedWindow?.End}] has been set for {item.Name} ");
339+
340+
itemsViaARI.Add(item.Id, scheduledRenewalDate.Value);
341+
342+
if (scheduledRenewalDate < DateTimeOffset.Now)
339343
{
340-
itemsWhichRequireRenewal.Add(item.Id);
344+
// item requires immediate renewal
345+
if (!itemsWhichRequireRenewal.Contains(item.Id))
346+
{
347+
itemsWhichRequireRenewal.Add(item.Id);
348+
}
341349
}
342350
}
343351
}
344352
}
345-
}
346-
else
347-
{
348-
_serviceLog.Verbose($"Renewal info unavailable or not supported for {item.Name}");
353+
else
354+
{
355+
_serviceLog.Verbose($"Renewal info unavailable or not supported for {item.Name}");
356+
}
349357
}
350358
}
351359
}
352-
}
353-
catch (Exception ex)
354-
{
355-
_serviceLog.Warning("Failed to perform renewal info check for {itemName} : {ex}", item.Name, ex);
360+
catch (Exception ex)
361+
{
362+
_serviceLog.Warning("Failed to perform renewal info check for {itemName} : {ex}", item.Name, ex);
363+
}
356364
}
357365

358366
completedRenewalInfoChecks.Add(item.Id);

0 commit comments

Comments
 (0)