Commit b1997fe
acme: parse the leaf cert for expiry, not the whole chain
cert_not_after() called Certificate::from_pem() on the full chain (leaf +
intermediates). purecrypto's parser rejects the trailing certificates
(Der(Pem)), so it returned None for every real fullchain. Combined with the
recent near_expiry(None) => true hardening, the manager judged a perfectly
valid cert as "needs renewal" on every connection and re-issued in a loop
until Let's Encrypt's duplicate-certificate rate limit refused further
orders — at which point issuance failed, the host entered the negative
cache, and live TLS connections were rejected (handshake EOF) while the
on-disk cert was valid for months.
Parse only the leaf (first PEM block) so the real expiry is read and a
healthy cert is served without churn. Verified end to end against the
production cert (leaf parses; whole chain errors).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent ea74041 commit b1997fe
1 file changed
Lines changed: 32 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
557 | 557 | | |
558 | 558 | | |
559 | 559 | | |
560 | | - | |
| 560 | + | |
| 561 | + | |
| 562 | + | |
| 563 | + | |
| 564 | + | |
| 565 | + | |
| 566 | + | |
561 | 567 | | |
562 | 568 | | |
563 | 569 | | |
| 570 | + | |
| 571 | + | |
| 572 | + | |
| 573 | + | |
| 574 | + | |
| 575 | + | |
| 576 | + | |
| 577 | + | |
| 578 | + | |
564 | 579 | | |
565 | 580 | | |
566 | 581 | | |
| |||
573 | 588 | | |
574 | 589 | | |
575 | 590 | | |
| 591 | + | |
| 592 | + | |
| 593 | + | |
| 594 | + | |
| 595 | + | |
| 596 | + | |
| 597 | + | |
| 598 | + | |
| 599 | + | |
| 600 | + | |
| 601 | + | |
| 602 | + | |
| 603 | + | |
| 604 | + | |
| 605 | + | |
| 606 | + | |
576 | 607 | | |
577 | 608 | | |
578 | 609 | | |
| |||
0 commit comments