fix: error occurred tring to get ssl certificates with a low version suite in monitoring

2026-06-13 21:01:32 +08:00 · 2025-07-25 10:45:36 +08:00 · 2025-07-25 10:45:36 +08:00 · b8c19eaddf
commit b8c19eaddf
parent 33e2dca367
3 changed files with 39 additions and 23 deletions
--- a/internal/workflow/node-processor/monitor_node.go
+++ b/internal/workflow/node-processor/monitor_node.go
@ -2,7 +2,6 @@ package nodeprocessor

 import (
 	"context"
-	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"log/slog"
@ -15,6 +14,7 @@ import (

 	"github.com/certimate-go/certimate/internal/domain"
 	xhttp "github.com/certimate-go/certimate/pkg/utils/http"
+	xtls "github.com/certimate-go/certimate/pkg/utils/tls"
 )

 type monitorNode struct {
@ -117,10 +117,7 @@ func (n *monitorNode) Process(ctx context.Context) error {

 func (n *monitorNode) tryRetrievePeerCertificates(ctx context.Context, addr, domain, requestPath string) ([]*x509.Certificate, error) {
 	transport := xhttp.NewDefaultTransport()
-	if transport.TLSClientConfig == nil {
-		transport.TLSClientConfig = &tls.Config{}
-	}
-	transport.TLSClientConfig.InsecureSkipVerify = true
+	transport.TLSClientConfig = xtls.NewInsecureConfig()

 	client := &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
@ -138,6 +135,7 @@ func (n *monitorNode) tryRetrievePeerCertificates(ctx context.Context, addr, dom
 		return nil, err
 	}

+	req.Header.Set("Host", domain)
 	req.Header.Set("User-Agent", "certimate")
 	resp, err := client.Do(req)
 	if err != nil {
--- a/pkg/core/notifier/providers/email/email.go
+++ b/pkg/core/notifier/providers/email/email.go
@ -2,7 +2,6 @@ package email

 import (
 	"context"
-	"crypto/tls"
 	"errors"
 	"log/slog"
 	"net"
@ -12,6 +11,7 @@ import (
 	"github.com/domodwyer/mailyak/v3"

 	"github.com/certimate-go/certimate/pkg/core"
+	xtls "github.com/certimate-go/certimate/pkg/utils/tls"
 )

 type NotifierProviderConfig struct {
@ -79,7 +79,7 @@ func (n *NotifierProvider) Notify(ctx context.Context, subject string, message s

 	var yak *mailyak.MailYak
 	if n.config.SmtpTls {
-		yakWithTls, err := mailyak.NewWithTLS(smtpAddr, smtpAuth, newTlsConfig())
+		yakWithTls, err := mailyak.NewWithTLS(smtpAddr, smtpAuth, xtls.NewCompatibleConfig())
 		if err != nil {
 			return nil, err
 		}
@ -100,19 +100,3 @@ func (n *NotifierProvider) Notify(ctx context.Context, subject string, message s

 	return &core.NotifyResult{}, nil
 }
-
-func newTlsConfig() *tls.Config {
-	var suiteIds []uint16
-	for _, suite := range tls.CipherSuites() {
-		suiteIds = append(suiteIds, suite.ID)
-	}
-	for _, suite := range tls.InsecureCipherSuites() {
-		suiteIds = append(suiteIds, suite.ID)
-	}
-
-	// 为兼容国内部分低版本 TLS 的 SMTP 服务商
-	return &tls.Config{
-		MinVersion:   tls.VersionTLS10,
-		CipherSuites: suiteIds,
-	}
-}
--- a/pkg/utils/tls/config.go
+++ b/pkg/utils/tls/config.go
@ -0,0 +1,34 @@
+package tls
+
+import (
+	"crypto/tls"
+)
+
+// 创建并返回一个兼容低版的 [tls.Config] 对象。
+//
+// 出参：
+//   - config: [tls.Config] 对象。
+func NewCompatibleConfig() *tls.Config {
+	var suiteIds []uint16
+	for _, suite := range tls.CipherSuites() {
+		suiteIds = append(suiteIds, suite.ID)
+	}
+	for _, suite := range tls.InsecureCipherSuites() {
+		suiteIds = append(suiteIds, suite.ID)
+	}
+
+	return &tls.Config{
+		MinVersion:   tls.VersionTLS10,
+		CipherSuites: suiteIds,
+	}
+}
+
+// 创建并返回一个不安全的 [tls.Config] 对象。
+//
+// 出参：
+//   - config: [tls.Config] 对象。
+func NewInsecureConfig() *tls.Config {
+	config := NewCompatibleConfig()
+	config.InsecureSkipVerify = true
+	return config
+}