fix: Resolve certificate validate failure Issues (1Panel-dev#9698)

ssongliu · web-flow · commit 134b17d2f0af · 2025-07-28T15:36:10.000+08:00
diff --git a/agent/middleware/certificate.go b/agent/middleware/certificate.go
@@ -1,13 +1,15 @@
 package middleware
 
 import (
-	"errors"
 	"fmt"
+	"net"
+	"net/http"
 	"strings"
 
 	"github.com/1Panel-dev/1Panel/agent/app/api/v2/helper"
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
+	"github.com/1Panel-dev/1Panel/agent/utils/xpack"
 	"github.com/gin-gonic/gin"
 )
 
@@ -17,13 +19,8 @@ func Certificate() gin.HandlerFunc {
 			c.Next()
 			return
 		}
-		if !c.Request.TLS.HandshakeComplete || len(c.Request.TLS.PeerCertificates) == 0 {
-			helper.InternalServer(c, errors.New("no such tls peer certificates"))
-			return
-		}
-		cert := c.Request.TLS.PeerCertificates[0]
-		if cert.Subject.CommonName != "panel_client" {
-			helper.InternalServer(c, fmt.Errorf("err certificate"))
+		if !xpack.ValidateCertificate(c) {
+			CloseDirectly(c)
 			return
 		}
 		conn := c.Request.Header.Get("Connection")
@@ -40,3 +37,18 @@ func Certificate() gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+func CloseDirectly(c *gin.Context) {
+	hijacker, ok := c.Writer.(http.Hijacker)
+	if !ok {
+		c.AbortWithStatus(http.StatusForbidden)
+		return
+	}
+	conn, _, err := hijacker.Hijack()
+	if err != nil {
+		c.AbortWithStatus(http.StatusForbidden)
+		return
+	}
+	_ = conn.(*net.TCPConn).SetLinger(0)
+	conn.Close()
+}
diff --git a/agent/server/server.go b/agent/server/server.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -78,9 +79,17 @@ func Start() {
 			fmt.Printf("failed to load X.509 key pair: %s\n", err)
 			return
 		}
+
 		server.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{tlsCert},
-			ClientAuth:   tls.RequireAnyClientCert,
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+		}
+		caItem, _ := settingRepo.GetValueByKey("RootCrt")
+		if len(caItem) != 0 {
+			caCertPool := x509.NewCertPool()
+			rootCrt, _ := encrypt.StringDecrypt(caItem)
+			caCertPool.AppendCertsFromPEM([]byte(rootCrt))
+			server.TLSConfig.ClientCAs = caCertPool
 		}
 		business.Init()
 		global.LOG.Infof("listen at https://0.0.0.0:%s", global.CONF.Base.Port)
diff --git a/agent/utils/xpack/xpack.go b/agent/utils/xpack/xpack.go
@@ -15,6 +15,7 @@ import (
 	"github.com/1Panel-dev/1Panel/agent/buserr"
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
+	"github.com/gin-gonic/gin"
 )
 
 func RemoveTamper(website string) {}
@@ -72,3 +73,7 @@ func LoadRequestTransport() *http.Transport {
 		IdleConnTimeout:       15 * time.Second,
 	}
 }
+
+func ValidateCertificate(c *gin.Context) bool {
+	return true
+}

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ import (`
`15`	`15`	`"github.com/1Panel-dev/1Panel/agent/buserr"`
`16`	`16`	`"github.com/1Panel-dev/1Panel/agent/global"`
`17`	`17`	`"github.com/1Panel-dev/1Panel/agent/utils/cmd"`
	`18`	`+ "github.com/gin-gonic/gin"`
`18`	`19`	`)`
`19`	`20`
`20`	`21`	`func RemoveTamper(website string) {}`
`@@ -72,3 +73,7 @@ func LoadRequestTransport() *http.Transport {`
`72`	`73`	`IdleConnTimeout: 15 * time.Second,`
`73`	`74`	`}`
`74`	`75`	`}`
	`76`	`+`
	`77`	`+func ValidateCertificate(c *gin.Context) bool {`
	`78`	`+ return true`
	`79`	`+}`