dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat(ssl): improve SSL helper

Browse Source 
- improve security by making certificates valid for only 90 days instead of 10 years
- add SubjectAltName
- remove unnecessary parameters
- use carbon immutable to make sure expiration date stays the same
This commit is contained in:
peaklabs-dev
2025-01-30 19:52:21 +01:00
parent d280f11b6b
commit 34188450eb
1 changed files with 9 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
app/Helpers/SslHelper.php
View File

@@ -3,23 +3,20 @@
namespace App\Helpers; namespace App\Helpers;
use App\Models\SslCertificate; use App\Models\SslCertificate;
use Carbon\Carbon; use Carbon\CarbonImmutable;
class SslHelper class SslHelper
{ {
private const DEFAULT_VALIDITY_YEARS = 10; private const DEFAULT_ORGANIZATION_NAME = 'Coolify';
private const DEFAULT_ORG_NAME = 'Coolify';
public static function generateSslCertificate( public static function generateSslCertificate(
string $commonName,
array $additionalSans,
string $resourceType, string $resourceType,
int $resourceId, int $resourceId,
string $commonName, ?string $organizationName = null,
?Carbon $validUntil = null,
?string $organizationName = null
): SslCertificate { ): SslCertificate {
$validUntil ??= Carbon::now()->addYears(self::DEFAULT_VALIDITY_YEARS); $organizationName ??= self::DEFAULT_ORGANIZATION_NAME;
$organizationName ??= self::DEFAULT_ORG_NAME;
try { try {
$privateKey = openssl_pkey_new([ $privateKey = openssl_pkey_new([
@@ -38,6 +35,7 @@ class SslHelper
$dn = [ $dn = [
'commonName' => $commonName, 'commonName' => $commonName,
'organizationName' => $organizationName, 'organizationName' => $organizationName,
'subjectAltName' => implode(', ', array_merge(["DNS:$commonName"], $additionalSans)),
]; ];
$csr = openssl_csr_new($dn, $privateKey, [ $csr = openssl_csr_new($dn, $privateKey, [
@@ -50,13 +48,11 @@ class SslHelper
throw new \RuntimeException('Failed to generate CSR: '.openssl_error_string()); throw new \RuntimeException('Failed to generate CSR: '.openssl_error_string());
} }
$validityDays = max(1, Carbon::now()->diffInDays($validUntil));
$certificate = openssl_csr_sign( $certificate = openssl_csr_sign(
$csr, $csr,
null, null,
$privateKey, $privateKey,
$validityDays, 90,
[ [
'digest_alg' => 'sha512', 'digest_alg' => 'sha512',
'config' => null, 'config' => null,
@@ -77,7 +73,7 @@ class SslHelper
'ssl_private_key' => $privateKeyStr, 'ssl_private_key' => $privateKeyStr,
'resource_type' => $resourceType, 'resource_type' => $resourceType,
'resource_id' => $resourceId, 'resource_id' => $resourceId,
'valid_until' => $validUntil, 'valid_until' => CarbonImmutable::now()->addDays(90),
]); ]);
} catch (\Throwable $e) { } catch (\Throwable $e) {
throw new \RuntimeException('SSL Certificate generation failed: '.$e->getMessage(), 0, $e); throw new \RuntimeException('SSL Certificate generation failed: '.$e->getMessage(), 0, $e);