fix ssl certificate renewal

peterjah · peterjah · commit 57ee46859ed5 · 2025-09-16T12:55:53.000+02:00
diff --git a/int/config/check.go b/int/config/check.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"time"
 
 	"github.com/massalabs/station/int/configuration"
 	"github.com/massalabs/station/pkg/certificate"
@@ -28,31 +29,19 @@ func Check() error {
 
 	certPath := filepath.Join(caRootPath, configuration.CertificateAuthorityFileName)
 
-	isBrandNewCA := false
-
-	_, err = os.Stat(certPath)
-	if os.IsNotExist(err) {
-		err = certificate.GenerateCA(
-			configuration.OrganizationName,
-			configuration.CertificateAuthorityKeyFileName,
-			configuration.CertificateAuthorityFileName,
-			caRootPath,
-		)
-		if err != nil {
-			return caNonBlockingError("failed to generate new CA", err)
-		}
-
-		logger.Infof("A new CA was generated at %s.", certPath)
-
-		// A new CA was generated, we need to clean the certificates.
-		isBrandNewCA = true
+	// Ensure CA certificate exists and is valid
+	isBrandNewCA, err := ensureValidCA(certPath, caRootPath)
+	if err != nil {
+		return caNonBlockingError("failed to ensure valid CA", err)
 	}
 
+	// Check certificate in system store
 	err = checkCertificate(certPath)
 	if err != nil {
 		resultErr = caNonBlockingError("Error while checking certificate", err)
 	}
 
+	// Check NSS configuration
 	err = checkNSS(certPath, isBrandNewCA)
 	if err != nil {
 		resultErr = caNonBlockingError("Error while checking NSS", err)
@@ -61,6 +50,54 @@ func Check() error {
 	return resultErr
 }
 
+// ensureValidCA ensures that a valid CA certificate exists at the specified path.
+// It returns true if a new CA was generated, false if existing CA is valid.
+func ensureValidCA(certPath, caRootPath string) (bool, error) {
+	// Check if certificate file exists
+	_, err := os.Stat(certPath)
+	if os.IsNotExist(err) {
+		logger.Infof("Certificate file does not exist, generating new CA...")
+		return true, generateCA(caRootPath, "certificate file does not exist")
+	}
+
+	// Certificate file exists, validate it
+	existingCert, loadErr := certificate.LoadCertificate(certPath)
+	if loadErr != nil {
+		logger.Warnf("Failed to load existing certificate: %v, generating new one", loadErr)
+		return true, generateCA(caRootPath, "failed to load existing certificate")
+	}
+
+	// Check if certificate is expired
+	if existingCert.NotAfter.Before(time.Now()) {
+		logger.Warnf("Certificate is expired (NotAfter=%s), generating new one", existingCert.NotAfter.String())
+		return true, generateCA(caRootPath, "certificate is expired")
+	}
+
+	// Certificate is valid
+	logger.Debugf("Certificate is valid until %s", existingCert.NotAfter.String())
+	return false, nil
+}
+
+// generateCA generates a new CA certificate with consistent parameters and logging.
+func generateCA(caRootPath, reason string) error {
+	logger.Infof("Generating new CA certificate (reason: %s)...", reason)
+
+	err := certificate.GenerateCA(
+		configuration.OrganizationName,
+		configuration.CertificateAuthorityKeyFileName,
+		configuration.CertificateAuthorityFileName,
+		caRootPath,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to generate CA certificate: %w", err)
+	}
+
+	certPath := filepath.Join(caRootPath, configuration.CertificateAuthorityFileName)
+	logger.Infof("New CA certificate generated successfully at %s", certPath)
+
+	return nil
+}
+
 // nonBlockingError logs a non blocking error. It always returns a `nil` error to be used in `return`.
 func nonBlockingError(context string, consequence string, err error) error {
 	if err != nil {
@@ -78,27 +115,49 @@ func caNonBlockingError(context string, err error) error {
 
 // checkCertificate checks the certificate configuration.
 func checkCertificate(certPath string) error {
+	// Load certificate
+	certCA, err := loadCertificate(certPath)
+	if err != nil {
+		return err
+	}
+
+	// Check if certificate is trusted by the operating system
+	return ensureCertificateInSystemStore(certCA)
+}
+
+// loadCertificate loads a certificate.
+func loadCertificate(certPath string) (*x509.Certificate, error) {
 	certCA, err := certificate.LoadCertificate(certPath)
 	if err != nil {
-		return fmt.Errorf("failed to load the CA: %w", err)
+		return nil, fmt.Errorf("failed to load the CA: %w", err)
 	}
 
-	// disable linting as we don't care about checking specific attributes
-	//nolint:exhaustruct
-	_, err = certCA.Verify(x509.VerifyOptions{})
+	return certCA, nil
+}
+
+// ensureCertificateInSystemStore ensures the certificate is trusted by the operating system.
+func ensureCertificateInSystemStore(certCA *x509.Certificate) error {
+	// Check if certificate is already trusted by the OS
+	//nolint:exhaustruct // We don't care about checking specific attributes
+	_, err := certCA.Verify(x509.VerifyOptions{})
 	if err != nil {
-		logger.Debug("the CA is not known by the operating system.")
+		logger.Debug("Certificate is not trusted by the operating system, adding to store")
+		return addCertificateToSystemStore(certCA)
+	}
 
-		err := store.Add(certCA)
-		if err != nil {
-			return fmt.Errorf("failed to add the CA to the operating system: %w", err)
-		}
+	logger.Debug("Certificate is already trusted by the operating system")
+	return nil
+}
 
-		logger.Debug("the CA was added to the operating system.")
-	} else {
-		logger.Debug("the CA is known by the operating system.")
+// addCertificateToSystemStore adds a certificate to the operating system store.
+func addCertificateToSystemStore(certCA *x509.Certificate) error {
+	err := store.Add(certCA)
+	if err != nil {
+		logger.Errorf("Failed to add certificate to operating system: %v", err)
+		return fmt.Errorf("failed to add the CA to the operating system: %w", err)
 	}
 
+	logger.Debug("Certificate successfully added to the operating system store")
 	return nil
 }
 
diff --git a/int/config/manager.go b/int/config/manager.go
@@ -23,10 +23,8 @@ const (
 	configDirName     = "massa-station"
 )
 
-var (
-	// ErrNetworkAlreadyExists is returned when trying to add a network with a name that already exists
-	ErrNetworkAlreadyExists = errors.New("network already exists")
-)
+// ErrNetworkAlreadyExists is returned when trying to add a network with a name that already exists
+var ErrNetworkAlreadyExists = errors.New("network already exists")
 
 // MSConfigManager represents a manager for network configurations.
 type MSConfigManager struct {
diff --git a/pkg/certificate/store/store_windows.go b/pkg/certificate/store/store_windows.go
@@ -5,10 +5,17 @@ import (
 	"fmt"
 	"syscall"
 	"unsafe"
+
+	"github.com/massalabs/station/pkg/logger"
 )
 
 const (
 	CRYPT_E_NOT_FOUND = 0x80092004
+
+	// Certificate store addition flags
+	CERT_STORE_ADD_NEW              = 1
+	CERT_STORE_ADD_REPLACE_EXISTING = 3
+	CERT_STORE_ADD_ALWAYS           = 4
 )
 
 // The functions below return an error even though they succeed.
@@ -24,6 +31,8 @@ var (
 
 // Add adds the given certificate to the windows root store.
 func Add(cert *x509.Certificate) error {
+	logger.Debugf("Adding certificate to Windows store: Subject=%s", cert.Subject.String())
+
 	rootStore, err := openStore()
 	if err != nil {
 		return fmt.Errorf("failed to open windows root store: %w", err)
@@ -39,6 +48,7 @@ func Add(cert *x509.Certificate) error {
 		return fmt.Errorf("failed to close windows root store: %w", err)
 	}
 
+	logger.Debugf("Successfully added certificate to Windows root store")
 	return nil
 }
 
@@ -89,26 +99,54 @@ func closeStore(store uintptr) error {
 	return nil
 }
 
-// addCertificateToStore adds the given certificate to the windows root store.
-func addCertificateToStore(store uintptr, cert *x509.Certificate) error {
-	if store == 0 {
-		return fmt.Errorf("pointer is nil")
-	}
-
+// addCertificateWithFlag attempts to add a certificate using the specified store flag.
+func addCertificateWithFlag(store uintptr, cert *x509.Certificate, flag uintptr) (bool, error) {
 	ret, _, err := procCertAddEncodedCertificateToStore.Call(
 		uintptr(store),
 		uintptr(syscall.X509_ASN_ENCODING|syscall.PKCS_7_ASN_ENCODING),
 		uintptr(unsafe.Pointer(&cert.Raw[0])),
 		uintptr(len(cert.Raw)),
-		3,
+		flag,
 		0,
 	)
 
-	if ret == 0 && err != nil {
+	return ret != 0, err
+}
+
+// addCertificateToStore adds the given certificate to the windows root store.
+func addCertificateToStore(store uintptr, cert *x509.Certificate) error {
+	if store == 0 {
+		return fmt.Errorf("pointer is nil")
+	}
+
+	// Try CERT_STORE_ADD_NEW first
+	success, err := addCertificateWithFlag(store, cert, CERT_STORE_ADD_NEW)
+	if success {
+		return nil // Success
+	}
+
+	// If failed, try CERT_STORE_ADD_REPLACE_EXISTING
+	logger.Debugf("Certificate addition with ADD_NEW failed, trying REPLACE_EXISTING")
+	success, err = addCertificateWithFlag(store, cert, CERT_STORE_ADD_REPLACE_EXISTING)
+	if success {
+		logger.Debugf("Certificate successfully replaced existing")
+		return nil
+	}
+
+	// Final fallback: try CERT_STORE_ADD_ALWAYS
+	success, err = addCertificateWithFlag(store, cert, CERT_STORE_ADD_ALWAYS)
+	if success {
+		logger.Debugf("Certificate successfully added with ALWAYS flag")
+		return nil
+	}
+
+	// All strategies failed
+	logger.Errorf("All certificate addition strategies failed")
+	if err != nil {
 		return fmt.Errorf("failed adding cert: %w", err)
 	}
 
-	return nil
+	return fmt.Errorf("failed adding cert: all strategies returned 0")
 }
 
 // deleteCertificateFromStore removes the given certificate from the windows root store.
diff --git a/pkg/certstore/store_windows.go b/pkg/certstore/store_windows.go
@@ -156,14 +156,29 @@ func (s *CertStore) AddCertificate(cert *x509.Certificate) error {
 		return err
 	}
 
+	// First try to add as new certificate
 	err = s.winAPI.CertAddCertificateContextToStore(
 		s.handler,
 		certContextPtr,
 		windows.CERT_STORE_ADD_NEW,
 		nil,
 	)
 	if err != nil {
-		return interpretError(err)
+		interpretedErr := interpretError(err)
+		// If certificate already exists (possibly expired), replace it
+		if errors.Is(interpretedErr, ErrCertAlreadyExists) {
+			err = s.winAPI.CertAddCertificateContextToStore(
+				s.handler,
+				certContextPtr,
+				windows.CERT_STORE_ADD_REPLACE_EXISTING,
+				nil,
+			)
+			if err != nil {
+				return interpretError(err)
+			}
+		} else {
+			return interpretedErr
+		}
 	}
 
 	return nil
diff --git a/pkg/certstore/store_windows_test.go b/pkg/certstore/store_windows_test.go
@@ -81,20 +81,44 @@ func TestCertStore_AddCertificate(t *testing.T) {
 			wantErr: otherError,
 		},
 		{
-			name:    "error when CertAddCertificateContextToStore fails",
+			name:    "error when CertAddCertificateContextToStore fails with non-exists error",
 			handler: windows.Handle(1),
 			setupMock: func() {
 				mockAPI.EXPECT().CertCreateCertificateContext(gomock.Any(), gomock.Any(), gomock.Any()).Return(mockCertContext, nil)
-				mockAPI.EXPECT().CertAddCertificateContextToStore(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(ErrCertAlreadyExists)
+				mockAPI.EXPECT().CertAddCertificateContextToStore(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(otherError)
 			},
-			wantErr: ErrCertAlreadyExists,
+			wantErr: otherError,
+		},
+		{
+			name:    "success when certificate already exists - replace existing",
+			handler: windows.Handle(1),
+			setupMock: func() {
+				mockAPI.EXPECT().CertCreateCertificateContext(gomock.Any(), gomock.Any(), gomock.Any()).Return(mockCertContext, nil)
+				// First call fails with ErrCertAlreadyExists
+				mockAPI.EXPECT().CertAddCertificateContextToStore(gomock.Any(), gomock.Any(), gomock.Eq(uint32(1)), gomock.Any()).Return(ErrCertAlreadyExists)
+				// Second call with replace flag succeeds
+				mockAPI.EXPECT().CertAddCertificateContextToStore(gomock.Any(), gomock.Any(), gomock.Eq(uint32(3)), gomock.Any()).Return(nil)
+			},
+			wantErr: nil,
+		},
+		{
+			name:    "error when certificate already exists and replace also fails",
+			handler: windows.Handle(1),
+			setupMock: func() {
+				mockAPI.EXPECT().CertCreateCertificateContext(gomock.Any(), gomock.Any(), gomock.Any()).Return(mockCertContext, nil)
+				// First call fails with ErrCertAlreadyExists
+				mockAPI.EXPECT().CertAddCertificateContextToStore(gomock.Any(), gomock.Any(), gomock.Eq(uint32(1)), gomock.Any()).Return(ErrCertAlreadyExists)
+				// Second call with replace flag also fails
+				mockAPI.EXPECT().CertAddCertificateContextToStore(gomock.Any(), gomock.Any(), gomock.Eq(uint32(3)), gomock.Any()).Return(otherError)
+			},
+			wantErr: otherError,
 		},
 		{
 			name:    "success case",
 			handler: windows.Handle(1),
 			setupMock: func() {
 				mockAPI.EXPECT().CertCreateCertificateContext(gomock.Any(), gomock.Any(), gomock.Any()).Return(mockCertContext, nil)
-				mockAPI.EXPECT().CertAddCertificateContextToStore(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
+				mockAPI.EXPECT().CertAddCertificateContextToStore(gomock.Any(), gomock.Any(), gomock.Eq(uint32(1)), gomock.Any()).Return(nil)
 			},
 			wantErr: nil,
 		},
