diff --git a/cert/ca.go b/cert/ca.go index 0899146b1..cfb99c220 100644 --- a/cert/ca.go +++ b/cert/ca.go @@ -32,29 +32,29 @@ func NewCAPoolFromBytes(caPEMs []byte) (*NebulaCAPool, []error, error) { pool := NewCAPool() var err error var warnings []error - var expired bool + good := 0 + for { caPEMs, err = pool.AddCACertificate(caPEMs) if errors.Is(err, ErrExpired) { - expired = true - err = nil + warnings = append(warnings, err) } else if errors.Is(err, ErrInvalidPEMCertificateUnsupported) { warnings = append(warnings, err) - err = nil - } - if err != nil { + } else if err != nil { return nil, warnings, err + } else { + // Only consider a good certificate if there were no errors present + good++ } + if len(caPEMs) == 0 || strings.TrimSpace(string(caPEMs)) == "" { break } } - if len(pool.CAs) == 0 { + + if good == 0 { return nil, warnings, errors.New("no valid CA certificates present") } - if expired { - return pool, warnings, ErrExpired - } return pool, warnings, nil } diff --git a/pki.go b/pki.go index d5d806c6f..e5845d1cc 100644 --- a/pki.go +++ b/pki.go @@ -227,20 +227,9 @@ func loadCAPoolFromConfig(l *logrus.Logger, c *config.C) (*cert.NebulaCAPool, er for _, w := range warnings { l.WithError(w).Warn("parsing a CA certificate failed") } - if errors.Is(err, cert.ErrExpired) { - var expired int - for _, crt := range caPool.CAs { - if crt.Expired(time.Now()) { - expired++ - l.WithField("cert", crt).Warn("expired certificate present in CA pool") - } - } - if expired >= len(caPool.CAs) { - return nil, errors.New("no valid CA certificates present") - } - } else if err != nil { - return nil, fmt.Errorf("error while adding CA certificate to CA trust store: %s", err) + if err != nil { + return nil, fmt.Errorf("could not create CA certificate pool: %s", err) } for _, fp := range c.GetStringSlice("pki.blocklist", []string{}) {