🐛 修复证书过期后加速失效的问题 (#3553)

* 🐛 修复证书过期后加速失效的问题 * 🐛 修复证书过期跨天情况下的加速error情景 * 🎨 CertService 使用证书默认到期时间
BeyondDimension · Nov 26, 2024 · c3d9c45 · c3d9c45
1 parent 039eb60
commit c3d9c45
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 2 deletions.
diff --git a/...ns.Accelerator.ReverseProxy/Services.Implementation/Certificate/CertificateManagerImpl.cs b/...ns.Accelerator.ReverseProxy/Services.Implementation/Certificate/CertificateManagerImpl.cs
@@ -129,7 +129,7 @@ void SharedTrustRootCertificate()
 
     bool SharedCreateRootCertificate()
     {
-        RootCertificate ??= LoadRootCertificate();
+        RootCertificate = LoadRootCertificate();
 
         if (RootCertificate != null)
         {

diff --git a/...s.Accelerator.ReverseProxy/Services.Implementation/HttpServer/Certificates/CertService.cs b/...s.Accelerator.ReverseProxy/Services.Implementation/HttpServer/Certificates/CertService.cs
@@ -83,7 +83,7 @@ X509Certificate2 GetOrCreateCert(ICacheEntry entry)
             entry.SetAbsoluteExpiration(notAfter);
 
             var subjectName = new X500DistinguishedName($"CN={domain}");
-            using var serverCert = CertGenerator.CreateEndCertificate(caCert, subjectName, GetDomains(), notBefore, notAfter);
+            using var serverCert = CertGenerator.CreateEndCertificate(caCert, subjectName, GetDomains());
             var serverCertPfx = serverCert.Export(X509ContentType.Pfx);
             // 将生成的证书导出后重新创建一个
             return new X509Certificate2(serverCertPfx);

diff --git a/...t.Plugins.Accelerator.ReverseProxy/Services.Implementation/YarpReverseProxyServiceImpl.cs b/...t.Plugins.Accelerator.ReverseProxy/Services.Implementation/YarpReverseProxyServiceImpl.cs
@@ -47,9 +47,40 @@ protected override void CheckRootCertificate()
             ICertificateManager.Constants.CheckRootCertificate(
                 platformService,
                 CertificateManager);
+
+            X509Certificate2? cer = CertificateManager.RootCertificatePackable;
+            if (cer is not null && DateTime.Now <= cer.NotAfter && cer.NotAfter <= DateTime.Now.AddMonths(1))
+            {
+                var interval = cer.NotAfter - DateTime.Now;
+
+                _certificateTimer = new System.Timers.Timer(interval)
+                {
+                    AutoReset = false,
+                };
+
+                _certificateTimer.Elapsed += async (_, _) =>
+                {
+                    ICertificateManager.Constants.CheckRootCertificate(
+                        platformService,
+                        CertificateManager);
+
+                    await StopProxyAsync();
+                    await StartProxyImpl();
+                };
+                _certificateTimer.Start();
+            }
         }
     }
 
+    private System.Timers.Timer? _certificateTimer;
+
+    private void StopCertificateTimer()
+    {
+        _certificateTimer?.Stop();
+        _certificateTimer?.Dispose();
+        _certificateTimer = null;
+    }
+
     protected override Task<StartProxyResult> StartProxyImpl() => Task.FromResult(StartProxyCore());
 
     StartProxyResult StartProxyCore()
@@ -153,6 +184,7 @@ public void Exit()
 
     public async Task StopProxyAsync()
     {
+        StopCertificateTimer();
         Scripts = null;
         if (app == null) return;
         await app.StopAsync();

diff --git a/....WTTS.Client.Plugins.Accelerator.ReverseProxy/Services/Certificate/ICertificateManager.cs b/....WTTS.Client.Plugins.Accelerator.ReverseProxy/Services/Certificate/ICertificateManager.cs
@@ -196,6 +196,11 @@ bool IsCertificateInstalled()
                 // 生成证书
                 certificateManager.GenerateCertificate();
 
+                packable = GetRootCertificatePackable();
+                certificate2 = packable;
+                if (certificate2 == null)
+                    return StartProxyResultCode.GetX509Certificate2Fail;
+
                 // 安装证书
                 ICertificateManager.Constants.TrustRootCertificate(
                     GetCerFilePath, platformService, certificate2);