Update changelog for v1.6.0-rc2 and enhance certificate validation in customcert plugin

2026-05-24 09:28:37 +00:00 · 2025-01-13 11:54:03 +01:00 · 2025-01-13 11:54:03 +01:00 · 5749947b62
commit 5749947b62
parent 18535b9307
2 changed files with 27 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,8 +1,9 @@
 # Changelog

-## v1.6.0 - ????/??/??
+## v1.6.0-rc2 - ????/??/??

 - [UI] Fixed condition when validating the setup wizard form when a custom certificate is used
+- [FEATURE] Add extra validation of certificates in `customcert` plugin
 - [DEPS] Updated libmaxminddb version to v1.12.2

 ## v1.6.0-rc1 - 2025/01/10
--- a/src/common/core/customcert/jobs/custom-cert.py
+++ b/src/common/core/customcert/jobs/custom-cert.py
@ -3,8 +3,10 @@
 from os import getenv, sep
 from os.path import join
 from pathlib import Path
+from subprocess import DEVNULL, run
 from sys import exit as sys_exit, path as sys_path
 from base64 import b64decode
+from tempfile import NamedTemporaryFile
 from typing import Tuple, Union

 for deps_path in [join(sep, "usr", "share", "bunkerweb", *paths) for paths in (("deps", "python"), ("utils",), ("db",))]:
@ -35,6 +37,29 @@ def check_cert(cert_file: Union[Path, bytes], key_file: Union[Path, bytes], firs
                return False, f"Key file {key_file} is not a valid file, ignoring the custom certificate"
            key_file = key_file.read_bytes()

+        # Write to temporary files for OpenSSL validation
+        with NamedTemporaryFile(delete=False) as cert_temp, NamedTemporaryFile(delete=False) as key_temp:
+            try:
+                cert_temp.write(cert_file)
+                key_temp.write(key_file)
+                cert_temp.flush()
+                key_temp.flush()
+
+                # Validate the certificate using OpenSSL
+                result = run(
+                    ["openssl", "x509", "-checkend", "86400", "-noout", "-in", cert_temp.name],
+                    stdin=DEVNULL,
+                    stderr=DEVNULL,
+                    check=False,
+                )
+
+                if result.returncode != 0:
+                    return False, "Certificate is invalid or will expire within the next 24 hours."
+            finally:
+                # Clean up temporary files
+                Path(cert_temp.name).unlink(missing_ok=True)
+                Path(key_temp.name).unlink(missing_ok=True)
+
        cert_hash = bytes_hash(cert_file)
        old_hash = JOB.cache_hash("cert.pem", service_id=first_server)
        if old_hash != cert_hash: