Skip to content

Commit 60a4512

Browse files
hslatmanhslatman
committed
Add /crl and /1.0/crl to the insecure HTTP handler
1 parent cb1dc80 commit 60a4512

File tree

1 file changed

+24
-2
lines changed

1 file changed

+24
-2
lines changed

ca/ca.go

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -196,7 +196,11 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
196196
api.Route(r)
197197
})
198198

199-
//Add ACME api endpoints in /acme and /1.0/acme
199+
// Mount the CRL to the insecure mux
200+
insecureMux.Get("/crl", api.CRL)
201+
insecureMux.Get("/1.0/crl", api.CRL)
202+
203+
// Add ACME api endpoints in /acme and /1.0/acme
200204
dns := cfg.DNSNames[0]
201205
u, err := url.Parse("https://" + cfg.Address)
202206
if err != nil {
@@ -276,6 +280,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
276280

277281
// helpful routine for logging all routes
278282
//dumpRoutes(mux)
283+
//dumpRoutes(insecureMux)
279284

280285
// Add monitoring if configured
281286
if len(cfg.Monitoring) > 0 {
@@ -307,7 +312,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
307312

308313
// only start the insecure server if the insecure address is configured
309314
// and, currently, also only when it should serve SCEP endpoints.
310-
if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" {
315+
if ca.shouldServeInsecureServer() {
311316
// TODO: instead opt for having a single server.Server but two
312317
// http.Servers handling the HTTP and HTTPS handler? The latter
313318
// will probably introduce more complexity in terms of graceful
@@ -321,6 +326,23 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
321326
return ca, nil
322327
}
323328

329+
// shouldServeInsecureServer returns whether or not the insecure
330+
// server should also be started. This is (currently) only the case
331+
// if the insecure address has been configured AND when a SCEP
332+
// provisioner is configured or when a CRL is configured.
333+
func (ca *CA) shouldServeInsecureServer() bool {
334+
switch {
335+
case ca.config.InsecureAddress == "":
336+
return false
337+
case ca.shouldServeSCEPEndpoints():
338+
return true
339+
case ca.config.CRL != nil && ca.config.CRL.Enabled:
340+
return true
341+
default:
342+
return false
343+
}
344+
}
345+
324346
// buildContext builds the server base context.
325347
func buildContext(a *authority.Authority, scepAuthority *scep.Authority, acmeDB acme.DB, acmeLinker acme.Linker) context.Context {
326348
ctx := authority.NewContext(context.Background(), a)

0 commit comments

Comments
 (0)