BUG/MEDIUM: runtime: get the real storage name of certificates

oliwer · oliwer · commit 901e91ee6592 · 2026-02-05T15:11:12.000+01:00
When calling the runtime command "show ssl cert", the returned field
"Filename" is not always the filename of the certificate. If you pass
in an alias, "Filename" will be the alias, not the corresponding filename.

So how can we obtain the true storage name of a certificate? Recent
versions of HAProxy now return 2 new fields for that: "Crt filename" and
"Key filename". This patch uses the "Crt filename" as the storage name
when it is provided, and falls back to "Filename".

Note that storing the private key in a separate file is not supported by
client-native and the other projects depending on it. The function
`ShowCertificate` will return an error if "Crt filename" and "Key
filename" are different.
diff --git a/runtime/certs.go b/runtime/certs.go
@@ -1,6 +1,7 @@
 package runtime
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 	"time"
@@ -87,9 +88,9 @@ func (s *SingleRuntime) ShowCertEntry(storageName string) (*models.SslCertEntry,
 	return parseCertEntry(response)
 }
 
-// parseCertEntry parses one entry in one CrtList file/runtime and returns it structured
+// parseCertEntry parses one entry in one CrtList file and returns it structured
 // example:
-// Filename: /etc/ssl/cert-2.pem
+// Filename: /etc/ssl/cert-2.pem    <= this is just the same name you gave as certificate name, could be an alias
 // Status: Used
 // Serial: 0D933C1B1089BF660AE5253A245BB388
 // notBefore: Sep  9 00:00:00 2020 GMT
@@ -101,12 +102,18 @@ func (s *SingleRuntime) ShowCertEntry(storageName string) (*models.SslCertEntry,
 // Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
 // Chain Subject: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
 // Chain Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
+// *** undocumented, only in recent versions, "Key filename" is optional ***
+// Crt filename: /etc/ssl/cert-2.pem
+// Key filename: /etc/ssl/cert-2.key
 func parseCertEntry(response string) (*models.SslCertEntry, error) {
 	if response == "" || strings.HasPrefix(strings.TrimSpace(response), "#") {
 		return nil, native_errors.ErrNotFound
 	}
 
 	c := &models.SslCertEntry{}
+	var crtFilename string
+	var keyFilename string
+
 	parts := strings.SplitSeq(response, "\n")
 	for p := range parts {
 		before, after, found := strings.Cut(p, ":")
@@ -143,9 +150,27 @@ func parseCertEntry(response string) (*models.SslCertEntry, error) {
 			c.ChainSubject = valueString
 		case "Chain Issuer":
 			c.ChainIssuer = valueString
+		case "Crt filename":
+			crtFilename = valueString
+		case "Key filename":
+			keyFilename = valueString
 		}
 	}
 
+	if crtFilename != "" {
+		c.StorageName = crtFilename
+	}
+
+	// We currently do not support storing the key in a separate file.
+	if keyFilename != "" && keyFilename != crtFilename {
+		return nil, fmt.Errorf("failed to parse certificate info for %s: storing the private key in a separate file is not supported", c.StorageName)
+	}
+
+	// This should be impossible.
+	if c.StorageName == "" {
+		return nil, errors.New("failed to parse certificate info: empty filename")
+	}
+
 	return c, nil
 }
 
diff --git a/runtime/certs_test.go b/runtime/certs_test.go
@@ -186,7 +186,7 @@ func TestSingleRuntime_ShowCertEntry(t *testing.T) {
 			name:   "Simple show certs, should return a cert",
 			fields: fields{socketPath: haProxy.Addr().String()},
 			args: args{
-				storageName: "/etc/ssl/cert-0.pem",
+				storageName: "cert-0",
 			},
 			want: &models.SslCertEntry{
 				StorageName: "/etc/ssl/cert-0.pem",
@@ -206,7 +206,72 @@ func TestSingleRuntime_ShowCertEntry(t *testing.T) {
 				ChainIssuer:     "/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA",
 			},
 			socketResponse: map[string]string{
-				"show ssl cert /etc/ssl/cert-0.pem\n": ` Filename: /etc/ssl/cert-0.pem
+				"show ssl cert cert-0\n": ` Filename: cert-0
+					Status: Used
+					Serial: 0D933C1B1089BF660AE5253A245BB388
+					notBefore: Sep  9 00:00:00 2020 GMT
+					notAfter: Sep 14 12:00:00 2021 GMT
+					Subject Alternative Name: DNS:*.platform.domain.com, DNS:uaa.platform.domain.com
+					Algorithm: RSA4096
+					SHA1 FingerPrint: 59242F1838BDEF3E7DAFC83FFE4DD6C03B88805C
+					Subject: /C=DE/ST=Baden-Württemberg/L=Walldorf/O=ORG SE/CN=*.platform.domain.com
+					Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
+					Chain Subject: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
+					Chain Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
+					Crt filename: /etc/ssl/cert-0.pem
+					Key filename: /etc/ssl/cert-0.pem
+				`,
+			},
+		},
+		{
+			name:   "A certificate without a 'Crt filename'",
+			fields: fields{socketPath: haProxy.Addr().String()},
+			args: args{
+				storageName: "cert-1",
+			},
+			want: &models.SslCertEntry{
+				StorageName: "cert-1",
+				Status:      "Used",
+				Serial:      "0D933C1B1089BF660AE5253A245BB388",
+				NotBefore:   strfmt.Date(notBefore),
+				NotAfter:    strfmt.Date(notAfter),
+				SubjectAlternativeNames: []string{
+					"DNS:*.platform.domain.com",
+					"DNS:uaa.platform.domain.com",
+				},
+				Algorithm:       "RSA4096",
+				Sha1FingerPrint: "59242F1838BDEF3E7DAFC83FFE4DD6C03B88805C",
+				Subject:         "/C=DE/ST=Baden-Württemberg/L=Walldorf/O=ORG SE/CN=*.platform.domain.com",
+				Issuer:          "/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA",
+				ChainSubject:    "/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA",
+				ChainIssuer:     "/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA",
+			},
+			socketResponse: map[string]string{
+				"show ssl cert cert-1\n": ` Filename: cert-1
+					Status: Used
+					Serial: 0D933C1B1089BF660AE5253A245BB388
+					notBefore: Sep  9 00:00:00 2020 GMT
+					notAfter: Sep 14 12:00:00 2021 GMT
+					Subject Alternative Name: DNS:*.platform.domain.com, DNS:uaa.platform.domain.com
+					Algorithm: RSA4096
+					SHA1 FingerPrint: 59242F1838BDEF3E7DAFC83FFE4DD6C03B88805C
+					Subject: /C=DE/ST=Baden-Württemberg/L=Walldorf/O=ORG SE/CN=*.platform.domain.com
+					Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
+					Chain Subject: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
+					Chain Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
+				`,
+			},
+		},
+		{
+			name:   "A certificate with a separate key file",
+			fields: fields{socketPath: haProxy.Addr().String()},
+			args: args{
+				storageName: "cert-2",
+			},
+			want:    nil,
+			wantErr: true,
+			socketResponse: map[string]string{
+				"show ssl cert cert-2\n": ` Filename: cert-2
 					Status: Used
 					Serial: 0D933C1B1089BF660AE5253A245BB388
 					notBefore: Sep  9 00:00:00 2020 GMT
@@ -218,6 +283,8 @@ func TestSingleRuntime_ShowCertEntry(t *testing.T) {
 					Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
 					Chain Subject: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
 					Chain Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
+					Crt filename: /etc/ssl/cert-2.crt
+					Key filename: /etc/ssl/cert-2.key
 				`,
 			},
 		},
