You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
refactor: harden security, fix bugs, and improve architecture
Security:
- Change private key file permissions from 0644 to 0600
- Add domain name validation to prevent path traversal attacks
- Fix RSA private key JSON serialization with PEM-based round-trip
- Use explicit file permissions in saveCertificateChain
Bug fixes:
- AddCustomCert now stores file paths in CertFile/KeyFile, not PEM content
- Parse real certificate expiry from x509 instead of hardcoded 88d/1y
- HTTPHandler now respects Staging flag for ACME directory URL
Architecture:
- Add context.Context support to IssueCert and internal ACME calls
- Add in-memory certificate cache in GetCert with InvalidateCertCache
- Replace log.Printf with optional Logger interface
- Use client.WaitAuthorization instead of manual polling loop
Tests:
- Add domain validation, RSA key round-trip, and file permission tests
- Update AddCustomCert test to use real self-signed certificate
