fix for ARI code against certs with no AKI extension (#561)

rmbolger · Aug 18, 2024 · 2eb08fd · 2eb08fd
1 parent 6b0b3c1
commit 2eb08fd
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 31 deletions.
diff --git a/Posh-ACME/Private/Update-PAOrder.ps1 b/Posh-ACME/Private/Update-PAOrder.ps1
@@ -61,38 +61,42 @@ function Update-PAOrder {
         {
             Write-Verbose "Checking for updated renewal window via ARI"
             $cert = $Order | Get-PACertificate
-            $queryParams = @{
-                Uri = '{0}/{1}' -f $ariBase,$cert.ARIId
-                UserAgent = $script:USER_AGENT
-                Headers = $script:COMMON_HEADERS
-                ErrorAction = 'Stop'
-                Verbose = $false
-            }
-            try {
-                Write-Debug "GET $($queryParams.Uri)"
-                $resp = Invoke-RestMethod @queryParams @script:UseBasic
-                Write-Debug "Response:`n$($resp|ConvertTo-Json)"
-            } catch {
-                Write-Warning "ARI request failed."
-                $PSCmdlet.WriteError($_)
-            }
+            if ($cert.ARIId) {
+                $queryParams = @{
+                    Uri = '{0}/{1}' -f $ariBase,$cert.ARIId
+                    UserAgent = $script:USER_AGENT
+                    Headers = $script:COMMON_HEADERS
+                    ErrorAction = 'Stop'
+                    Verbose = $false
+                }
+                try {
+                    Write-Debug "GET $($queryParams.Uri)"
+                    $resp = Invoke-RestMethod @queryParams @script:UseBasic
+                    Write-Debug "Response:`n$($resp|ConvertTo-Json)"
+                } catch {
+                    Write-Warning "ARI request failed."
+                    $PSCmdlet.WriteError($_)
+                }
 
-            if ($resp.suggestedWindow) {
-                $renewAfter = $resp.suggestedWindow.start
-                if ($renewAfter -ne $Order.RenewAfter) {
-                    Write-Verbose "Updating renewal window to $renewAfter from ARI response"
-                    $Order.RenewAfter = $renewAfter
+                if ($resp.suggestedWindow) {
+                    $renewAfter = $resp.suggestedWindow.start
+                    if ($renewAfter -ne $Order.RenewAfter) {
+                        Write-Verbose "Updating renewal window to $renewAfter from ARI response"
+                        $Order.RenewAfter = $renewAfter
 
-                    # Warn if there's an explanation URL
-                    if ($resp.explanationUrl) {
-                        Write-Warning "The ACME Server has suggested an updated renewal window. Visit the following URL for more information:`n$($resp.explanationUrl)"
+                        # Warn if there's an explanation URL
+                        if ($resp.explanationUrl) {
+                            Write-Warning "The ACME Server has suggested an updated renewal window. Visit the following URL for more information:`n$($resp.explanationUrl)"
+                        }
                     }
-                }
 
-                # Warn if the new window is in the past
-                if ((Get-DateTimeOffsetNow) -gt [DateTimeOffset]::Parse($renewAfter)) {
-                    Write-Warning "The ACME Server has indicated this order's certificate should be renewed AS SOON AS POSSIBLE."
+                    # Warn if the new window is in the past
+                    if ((Get-DateTimeOffsetNow) -gt [DateTimeOffset]::Parse($renewAfter)) {
+                        Write-Warning "The ACME Server has indicated this order's certificate should be renewed AS SOON AS POSSIBLE."
+                    }
                 }
+            } else {
+                Write-Warning "Unable to check ARI renewal window because cert object is missing ARIId value."
             }
         }
 

diff --git a/Posh-ACME/Public/Get-PACertificate.ps1 b/Posh-ACME/Public/Get-PACertificate.ps1
@@ -68,9 +68,14 @@ function Get-PACertificate {
             # https://letsencrypt.org/2024/04/25/guide-to-integrating-ari-into-existing-acme-clients#step-3-constructing-the-ari-certid
             # https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#name-the-renewalinfo-resource
             $akiExt = $cert.GetExtensionValue([Org.BouncyCastle.Asn1.X509.X509Extensions]::AuthorityKeyIdentifier)
-            $akiBytes = [Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier]::GetInstance($akiExt.GetOctets()).GetKeyIdentifier()
-            $serialBytes = $cert.SerialNumber.ToByteArray()
-            $ariID = '{0}.{1}' -f (ConvertTo-Base64Url $akiBytes),(ConvertTo-Base64Url $serialBytes)
+            if ($akiExt) {
+                $akiBytes = [Org.BouncyCastle.Asn1.X509.AuthorityKeyIdentifier]::GetInstance($akiExt.GetOctets()).GetKeyIdentifier()
+                $serialBytes = $cert.SerialNumber.ToByteArray()
+                $ariID = '{0}.{1}' -f (ConvertTo-Base64Url $akiBytes),(ConvertTo-Base64Url $serialBytes)
+            } else {
+                Write-Warning "Cert with subject $($cert.SubjectDN) and serial $($cert.SerialNumber) has no AKI extension. Unable to generate ARIId value."
+                $ariID = $null
+            }
 
             # send the output object to the pipeline
             [pscustomobject]@{

diff --git a/Posh-ACME/Public/New-PACertificate.ps1 b/Posh-ACME/Public/New-PACertificate.ps1
@@ -193,7 +193,9 @@ function New-PACertificate {
         # Add the replaced cert ID if it exists
         # New-PAOrder will ignore it if the server doesn't support ARI
         if ($oldOrder -and ($cert = ($oldOrder | Get-PACertificate))) {
-            $orderParams.ReplacesCert = $cert.ARIId
+            if ($cert.ARIId) {
+                $orderParams.ReplacesCert = $cert.ARIId
+            }
         }
 
         # add common explicit order parameters backed up by old order params