Inherit Certificate#name on renewal

Author: sorah

lib/acmesmith/certificate.rb

@@ -17,18 +17,21 @@ def self.split_pems(pems)
     # Return Acmesmith::Certificate by an issued certificate
     # @param pem_chain [String]
     # @param csr [Acme::Client::CertificateRequest]
+    # @param name [String, nil]
     # @return [Acmesmith::Certificate]
-    def self.by_issuance(pem_chain, csr)
+    def self.by_issuance(pem_chain, csr, name: nil)
       pems = split_pems(pem_chain)
-      new(pems[0], pems[1..-1], csr.private_key, nil, csr)
+      new(pems[0], pems[1..-1], csr.private_key, nil, csr, name: name)
     end
 
     # @param certificate [OpenSSL::X509::Certificate, String]
     # @param chain [String, Array<String>, Array<OpenSSL::X509::Certificate>]
     # @param private_key [String, OpenSSL::PKey::PKey]
     # @param key_passphrase [String, nil]
     # @param csr [String, OpenSSL::X509::Request, nil]
-    def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil)
+    # @param name [String, nil]
+    def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil, name: nil)
+      @name = name
       @certificate = case certificate
                      when OpenSSL::X509::Certificate
                        certificate
@@ -94,6 +97,8 @@ def initialize(certificate, chain, private_key, key_passphrase = nil, csr = nil)
     # @return [OpenSSL::X509::Request]
     attr_reader :csr
 
+    attr_writer :name
+
     # Try to decrypt private_key if encrypted.
     # @param pw [String] passphrase for encrypted PEM
     # @raise [PrivateKeyDecrypted] if private_key is decrypted
@@ -132,7 +137,7 @@ def issuer_pems
     # Note that this value can contain colons (':') if name is taken from non-DNS subject alternative name.
     # @return [String] certificate name
     def name
-      common_name || sans.first || all_sans.first
+      @name || common_name || sans.first || all_sans.first
     end
 
     # Returns a certificate common name taken from the certificate subject's CN field.

lib/acmesmith/client.rb

@@ -31,7 +31,7 @@ def authorize(*identifiers)
     end
 
     def post_issue_hooks(name)
-      cert = storage.get_certificate(name)
+      cert = load_certificate_from_storage(name)
       execute_post_issue_hooks(cert)
     end
 
@@ -125,7 +125,8 @@ def save(name, version: 'current', **kwargs)
     def autorenew(days: 30, remaining_life: nil, names: nil)
       (names || storage.list_certificates).each do |cn|
         puts "=> #{cn}"
-        cert = storage.get_certificate(cn)
+        cert = load_certificate_from_storage(cn)
+
         not_after = cert.certificate.not_after.utc
 
         lifetime = cert.certificate.not_after.utc - cert.certificate.not_before.utc
@@ -139,14 +140,14 @@ def autorenew(days: 30, remaining_life: nil, names: nil)
         puts "   Not valid after: #{not_after} (lifetime=#{format_duration(lifetime+1)}, remaining=#{format_duration(remaining)}, #{"%0.2f" % (ratio.to_f*100)}%)"
         next unless has_to_renew
 
-        puts " * Renewing: CN=#{cert.name}, SANs=#{cert.sans.join(',')}"
+        puts " * Renewing: #{cert.name.inspect}, SANs=#{cert.sans.join(',')}"
         order_with_private_key(cert.name, *cert.sans, private_key: regenerate_private_key(cert.public_key))
       end
     end
 
     def add_san(name, *add_sans)
-      puts "=> reissuing CN=#{name} with new SANs #{add_sans.join(?,)}"
-      cert = storage.get_certificate(name)
+      puts "=> reissuing #{name.inspect} with new SANs #{add_sans.join(?,)}"
+      cert = load_certificate_from_storage(name)
       sans = cert.sans + add_sans
       puts " * SANs will be: #{sans.join(?,)}"
       order_with_private_key(cert.name, *sans, private_key: regenerate_private_key(cert.public_key))
@@ -212,10 +213,11 @@ def account_key_passphrase
       end
     end
 
-    def order_with_private_key(*identifiers, private_key:, not_before: nil, not_after: nil)
+    def order_with_private_key(name, *identifiers, private_key:, not_before: nil, not_after: nil)
       order = OrderingService.new(
         acme: acme,
-        identifiers: identifiers,
+        common_name: name,
+        identifiers: [name, *identifiers],
         private_key: private_key,
         challenge_responder_rules: config.challenge_responders,
         chain_preferences: config.chain_preferences,
@@ -258,5 +260,12 @@ def regenerate_private_key(template)
         raise ArgumentError, "Unknown key type: #{template.class}"
       end
     end
+
+    # Load certificate from storage, inherit name property to loaded certificate to ensure stability of #name during renewal.
+    def load_certificate_from_storage(name)
+      retval = storage.get_certificate(name)
+      retval.name = name
+      retval
+    end
   end
 end

lib/acmesmith/ordering_service.rb

@@ -7,14 +7,16 @@ class OrderingService
     class NotCompleted < StandardError; end
 
     # @param acme [Acme::Client] ACME client
-    # @param identifiers [Array<String>] Array of domain names for a ordering certificate. The first item will be a common name.
+    # @param common_name [String] Common Name for a ordering certificate
+    # @param identifiers [Array<String>] Array of domain names for a ordering certificate. common_name has to be explicitly included in this argument.
     # @param private_key [OpenSSL::PKey::PKey] Private key
     # @param challenge_responder_rules [Array<Acmesmith::Config::ChallengeResponderRule>] responders
     # @param chain_preferences [Array<Acmesmith::Config::ChainPreference>] chain_preferences
     # @param not_before [Time]
     # @param not_after [Time]
-    def initialize(acme:, identifiers:, private_key:, challenge_responder_rules:, chain_preferences:, not_before: nil, not_after: nil)
+    def initialize(acme:, common_name:, identifiers:, private_key:, challenge_responder_rules:, chain_preferences:, not_before: nil, not_after: nil)
       @acme = acme
+      @common_name = common_name
       @identifiers = identifiers
       @private_key = private_key
       @challenge_responder_rules = challenge_responder_rules
@@ -23,7 +25,7 @@ def initialize(acme:, identifiers:, private_key:, challenge_responder_rules:, ch
       @not_after = not_after
     end
 
-    attr_reader :acme, :identifiers, :private_key, :challenge_responder_rules, :chain_preferences, :not_before, :not_after
+    attr_reader :acme, :common_name, :identifiers, :private_key, :challenge_responder_rules, :chain_preferences, :not_before, :not_after
 
     def perform!
       puts "=> Ordering a certificate for the following identifiers:"
@@ -43,7 +45,7 @@ def perform!
       finalize_order()
       wait_order_for_complete()
 
-      @certificate = Certificate.by_issuance(pem_chain, csr)
+      @certificate = Certificate.by_issuance(pem_chain, csr, name: common_name)
 
       puts
       puts "=> Certificate issued"
@@ -97,11 +99,6 @@ def order
       @order or raise "BUG: order not yet generated"
     end
 
-    # @return [String]
-    def common_name
-      identifiers.first
-    end
-
     # @return [Array<String>]
     def sans
       identifiers[1..-1]