checks for isCA and duration

cherry picked from: 10b68eb

pkg/cert/legobridge/certificate.go

@@ -65,7 +65,7 @@ type ObtainInput struct {
 	// KeyType represents the algo and size to use for the private key (only used if CSR is not set).
 	KeyType certcrypto.KeyType
 	// Duration is the lifetime of the certificate
-	Duration time.Duration
+	Duration *time.Duration
 }
 
 // DNSControllerSettings are the settings for the DNSController.
@@ -162,7 +162,6 @@ func obtainForDomains(client *lego.Client, domains []string, input ObtainInput)
 		AlwaysDeactivateAuthorizations: input.AlwaysDeactivateAuthorizations,
 		PreferredChain:                 input.PreferredChain,
 		PrivateKey:                     privateKey,
-		NotAfter:                       time.Now().Add(input.Duration),
 	}
 	return client.Certificate.Obtain(request)
 }
@@ -279,7 +278,6 @@ func obtainForCSR(client *lego.Client, csr []byte, input ObtainInput) (*certific
 		Bundle:                         true,
 		AlwaysDeactivateAuthorizations: input.AlwaysDeactivateAuthorizations,
 		PreferredChain:                 input.PreferredChain,
-		NotAfter:                       time.Now().Add(input.Duration),
 	})
 }
 
@@ -530,7 +528,7 @@ func newCASignedCertFromInput(input ObtainInput) (*certificate.Resource, error)
 
 // newCASignedCertFromCertReq returns a new Certificate signed by a CA based on
 // an x509.CertificateRequest and a CA key pair. A private key will be generated.
-func newCASignedCertFromCertReq(csr *x509.CertificateRequest, CAKeyPair *TLSKeyPair, duration time.Duration) (*certificate.Resource, error) {
+func newCASignedCertFromCertReq(csr *x509.CertificateRequest, CAKeyPair *TLSKeyPair, duration *time.Duration) (*certificate.Resource, error) {
 	pubKeySize := pubKeySize(csr.PublicKey)
 	if pubKeySize == 0 {
 		pubKeySize = defaultKeySize(csr.PublicKeyAlgorithm)

pkg/cert/legobridge/pki.go

@@ -62,7 +62,7 @@ const (
 )
 
 // issueSignedCert does all the Certificate Issuing.
-func issueSignedCert(csr *x509.CertificateRequest, isCA bool, privKey crypto.Signer, privKeyPEM []byte, signerKeyPair *TLSKeyPair, duration time.Duration) (*certificate.Resource, error) {
+func issueSignedCert(csr *x509.CertificateRequest, isCA bool, privKey crypto.Signer, privKeyPEM []byte, signerKeyPair *TLSKeyPair, duration *time.Duration) (*certificate.Resource, error) {
 	csrPEM, err := generateCSRPEM(csr, privKey)
 	if err != nil {
 		return nil, err
@@ -183,7 +183,7 @@ func generateCSRPEM(csr *x509.CertificateRequest, privateKey crypto.Signer) ([]b
 }
 
 // generateCertFromCSR generates an x509.Certificate based on a PEM encoded CSR.
-func generateCertFromCSR(csrPEM []byte, duration time.Duration, isCA bool) (*x509.Certificate, error) {
+func generateCertFromCSR(csrPEM []byte, duration *time.Duration, isCA bool) (*x509.Certificate, error) {
 	var serialNumberLimit = new(big.Int).Lsh(big.NewInt(1), 128)
 
 	csr, err := extractCertificateRequest(csrPEM)
@@ -217,7 +217,7 @@ func generateCertFromCSR(csrPEM []byte, duration time.Duration, isCA bool) (*x50
 		IsCA:                  isCA,
 		Subject:               csr.Subject,
 		NotBefore:             time.Now(),
-		NotAfter:              time.Now().Add(duration),
+		NotAfter:              time.Now().Add(*duration),
 		KeyUsage:              ku,
 		ExtKeyUsage:           DefaultCertExtKeyUsage,
 		DNSNames:              csr.DNSNames,

pkg/controller/issuer/certificate/reconciler.go

@@ -403,9 +403,8 @@ func (r *certReconciler) obtainCertificateAndPendingACME(logctx logger.LogContex
 	if err != nil {
 		return r.failed(logctx, obj, api.StateError, err)
 	}
-	duration, err := r.getDuration(cert)
-	if err != nil {
-		return r.failedStop(logctx, obj, api.StateError, err)
+	if cert.Spec.Duration != nil {
+		return r.failedStop(logctx, obj, api.StateError, fmt.Errorf("duration cannot be set for ACME certificate"))
 	}
 	err = r.validateDomainsAndCsr(&cert.Spec, issuer.Spec.ACME.Domains, issuerKey)
 	if err != nil {
@@ -505,7 +504,6 @@ func (r *certReconciler) obtainCertificateAndPendingACME(logctx logger.LogContex
 		AlwaysDeactivateAuthorizations: r.alwaysDeactivateAuthorizations,
 		PreferredChain:                 preferredChain,
 		KeyType:                        keyType,
-		Duration:                       duration,
 	}
 
 	err = r.obtainer.Obtain(input)
@@ -559,10 +557,15 @@ func (r *certReconciler) obtainCertificateCA(logctx logger.LogContext, obj resou
 	if err != nil {
 		return r.failed(logctx, obj, api.StateError, err)
 	}
+
 	duration, err := r.getDuration(cert)
 	if err != nil {
 		return r.failedStop(logctx, obj, api.StateError, err)
 	}
+	if duration == nil {
+		defaultDuration := 2 * legobridge.DefaultCertDuration
+		duration = &defaultDuration
+	}
 	err = r.validateCertDuration(duration, CAKeyPair)
 	if err != nil {
 		return r.failedStop(logctx, obj, api.StateError, err)
@@ -655,22 +658,22 @@ func (r *certReconciler) checkDomainRangeRestriction(issuerDomains *api.DNSSelec
 	return nil
 }
 
-func (r *certReconciler) getDuration(cert *api.Certificate) (time.Duration, error) {
-	duration := legobridge.DefaultCertDuration
-	if cert.Spec.Duration != nil {
-		duration = cert.Spec.Duration.Duration
-		if duration < 2*r.renewalWindow {
-			return 0, fmt.Errorf("certificate duration must be greater than %v", 2*r.renewalWindow)
-		}
+func (r *certReconciler) getDuration(cert *api.Certificate) (*time.Duration, error) {
+	if cert.Spec.Duration == nil {
+		return nil, nil
+	}
+	duration := cert.Spec.Duration.Duration
+	if duration < 2*r.renewalWindow {
+		return nil, fmt.Errorf("certificate duration must be greater than %v", 2*r.renewalWindow)
 	}
-	return duration, nil
+	return ptr.To(duration), nil
 }
 
-func (r *certReconciler) validateCertDuration(duration time.Duration, caKeyPair *legobridge.TLSKeyPair) error {
+func (r *certReconciler) validateCertDuration(duration *time.Duration, caKeyPair *legobridge.TLSKeyPair) error {
 	caNotAfter := caKeyPair.Cert.NotAfter
 	now := time.Now()
-	if now.Add(duration).After(caNotAfter) {
-		return fmt.Errorf("certificate lifetime (%v) is longer than the lifetime of the CA certificate (%v)", now.Add(duration), caNotAfter)
+	if now.Add(*duration).After(caNotAfter) {
+		return fmt.Errorf("certificate lifetime (%v) is longer than the lifetime of the CA certificate (%v)", now.Add(*duration), caNotAfter)
 	}
 	return nil
 }