dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat(ssl): improve ssl generation

Browse Source 
- add default state and country
- rename parameters for more clarity
- set subjectAltName
- delete old certificate before creating new one
- Set CN and subjectAltNames in DB for automatic renewal
This commit is contained in:
peaklabs-dev
2025-02-03 22:11:29 +01:00
parent 9d9fbd6859
commit 72a2f79d88
1 changed files with 37 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
app/Helpers/SslHelper.php
View File

@@ -2,6 +2,7 @@
namespace App\Helpers; namespace App\Helpers;
use App\Models\Server;
use App\Models\SslCertificate; use App\Models\SslCertificate;
use Carbon\CarbonImmutable; use Carbon\CarbonImmutable;
@@ -9,18 +10,21 @@ class SslHelper
{ {
private const DEFAULT_ORGANIZATION_NAME = 'Coolify'; private const DEFAULT_ORGANIZATION_NAME = 'Coolify';
private const DEFAULT_COUNTRY_CODE = 'ZZ';
private const DEFAULT_STATE = 'Default';
public static function generateSslCertificate( public static function generateSslCertificate(
string $commonName, string $commonName,
array $additionalSans = [], array $subjectAlternativeNames = [],
?string $resourceType = null, ?string $resourceType = null,
?int $resourceId = null, ?int $resourceId = null,
?int $serverId = null, ?int $serverId = null,
?string $organizationName = null,
int $validityDays = 365, int $validityDays = 365,
?string $caCert = null, ?string $caCert = null,
?string $caKey = null ?string $caKey = null,
bool $isCaCertificate = false
): SslCertificate { ): SslCertificate {
$organizationName ??= self::DEFAULT_ORGANIZATION_NAME;
try { try {
$privateKey = openssl_pkey_new([ $privateKey = openssl_pkey_new([
@@ -36,13 +40,29 @@ class SslHelper
throw new \RuntimeException('Failed to export private key: '.openssl_error_string()); throw new \RuntimeException('Failed to export private key: '.openssl_error_string());
} }
$dn = [ if (! is_null($serverId) && ! $isCaCertificate) {
$server = Server::find($serverId);
if ($server) {
$ip = $server->getIp;
if ($ip) {
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6)) {
$subjectAlternativeNames[] = "IP:$ip";
} else {
$subjectAlternativeNames[] = "DNS:$ip";
}
}
}
}
$certificateSubject = [
'commonName' => $commonName, 'commonName' => $commonName,
'organizationName' => $organizationName, 'subjectAltName' => implode(', ', array_merge(["DNS:$commonName"], $subjectAlternativeNames)),
'subjectAltName' => implode(', ', array_merge(["DNS:$commonName"], $additionalSans)), 'organizationName' => self::DEFAULT_ORGANIZATION_NAME,
'countryName' => self::DEFAULT_COUNTRY_CODE,
'stateOrProvinceName' => self::DEFAULT_STATE,
]; ];
$csr = openssl_csr_new($dn, $privateKey, [ $csr = openssl_csr_new($certificateSubject, $privateKey, [
'digest_alg' => 'sha512', 'digest_alg' => 'sha512',
'config' => null, 'config' => null,
'encrypt_key' => false, 'encrypt_key' => false,
@@ -72,6 +92,12 @@ class SslHelper
throw new \RuntimeException('Failed to export certificate: '.openssl_error_string()); throw new \RuntimeException('Failed to export certificate: '.openssl_error_string());
} }
SslCertificate::query()
->where('resource_type', $resourceType)
->where('resource_id', $resourceId)
->where('server_id', $serverId)
->delete();
return SslCertificate::create([ return SslCertificate::create([
'ssl_certificate' => $certificateStr, 'ssl_certificate' => $certificateStr,
'ssl_private_key' => $privateKeyStr, 'ssl_private_key' => $privateKeyStr,
@@ -79,6 +105,9 @@ class SslHelper
'resource_id' => $resourceId, 'resource_id' => $resourceId,
'server_id' => $serverId, 'server_id' => $serverId,
'valid_until' => CarbonImmutable::now()->addDays($validityDays), 'valid_until' => CarbonImmutable::now()->addDays($validityDays),
'is_ca_certificate' => $isCaCertificate,
'common_name' => $commonName,
'subject_alternative_names' => implode(', ', array_merge(["DNS:$commonName"], $subjectAlternativeNames)),
]); ]);
} catch (\Throwable $e) { } catch (\Throwable $e) {
throw new \RuntimeException('SSL Certificate generation failed: '.$e->getMessage(), 0, $e); throw new \RuntimeException('SSL Certificate generation failed: '.$e->getMessage(), 0, $e);