From 64e3e3872c6859a58dc43a495dd101b341b71d59 Mon Sep 17 00:00:00 2001
From: Davide Principi <davide.principi@nethesis.it>
Date: Fri, 21 Feb 2025 12:51:13 +0100
Subject: [PATCH] feat: export certificates for SAN

Write Redis keys for certificate SAN as well.
---
 imageroot/bin/export-certificate | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/imageroot/bin/export-certificate b/imageroot/bin/export-certificate
index 4b5f197..184ab41 100755
--- a/imageroot/bin/export-certificate
+++ b/imageroot/bin/export-certificate
@@ -19,6 +19,7 @@ import json
 import agent
 import os.path
 import sys
+import cert_helpers
 
 module_id = os.environ['MODULE_ID']
 node_id = os.environ['NODE_ID']
@@ -33,10 +34,20 @@ except Exception as ex:
     print(agent.SD_WARNING + f"ACME TLS certificates for Traefik were not found in {path}: {ex}", file=sys.stderr)
     sys.exit(0)
 
-rdb = agent.redis_connect(privileged=True)
+def process_certificates(certificates):
+    rdb = agent.redis_connect(privileged=True)
+    default_cert_names = cert_helpers.read_default_cert_names()
+    for info in certificates:
+        cur_cert_names = [info["domain"]["main"]] + info["domain"].get("sans", [])
+        if cur_cert_names[0] == default_cert_names[0] and cur_cert_names != default_cert_names:
+            print("[DEBUG] Ignoring certificate (main + sans):", cur_cert_names)
+            continue # ignore if certificate has SAN and is not the default one
+        for fqdn in cur_cert_names:
+            export_certificate(fqdn, info, rdb)
 
-for info in certificates:
-    rkey = f'module/{module_id}/certificate/{info["domain"]["main"]}'
+def export_certificate(fqdn, info, rdb):
+    global module_id, node_id, path
+    rkey = f'module/{module_id}/certificate/{fqdn}'
     cur_cert = rdb.hget(rkey, 'cert')
     cur_key = rdb.hget(rkey, 'key')
     custom = rdb.hget(rkey, 'custom')
@@ -44,11 +55,11 @@ for info in certificates:
     if not custom or custom != "true":
         # save the certificate only if not exists or if has been changed
         if (not cur_cert or cur_cert != info["certificate"]) or (not cur_key or cur_key != info["key"]):
-            print(f'Saving certificate and key to {rkey}')
+            print(f'Saving certificate and key to {rkey} - DEPRECATED! Modules must run the get-certificate command or invoke action module/{module_id}/get-certificate')
             rdb.hset(rkey, mapping={"cert": info["certificate"], "key":  info["key"], "custom": "false"})
-
             # signal the certificate-updated event
             event_key = f'module/{module_id}/event/certificate-updated'
-            print(f'Publishing event {event_key}')
             event = {"rkey": rkey, "node": node_id, "module": module_id, "domain": info["domain"], "custom": False}
             rdb.publish(event_key, json.dumps(event))
+
+process_certificates(certificates)