diff --git a/internal/workflow/node-processor/monitor_node.go b/internal/workflow/node-processor/monitor_node.go index e9f046f2..10021eab 100644 --- a/internal/workflow/node-processor/monitor_node.go +++ b/internal/workflow/node-processor/monitor_node.go @@ -2,7 +2,6 @@ package nodeprocessor import ( "context" - "crypto/tls" "crypto/x509" "fmt" "log/slog" @@ -15,6 +14,7 @@ import ( "github.com/certimate-go/certimate/internal/domain" xhttp "github.com/certimate-go/certimate/pkg/utils/http" + xtls "github.com/certimate-go/certimate/pkg/utils/tls" ) type monitorNode struct { @@ -117,10 +117,7 @@ func (n *monitorNode) Process(ctx context.Context) error { func (n *monitorNode) tryRetrievePeerCertificates(ctx context.Context, addr, domain, requestPath string) ([]*x509.Certificate, error) { transport := xhttp.NewDefaultTransport() - if transport.TLSClientConfig == nil { - transport.TLSClientConfig = &tls.Config{} - } - transport.TLSClientConfig.InsecureSkipVerify = true + transport.TLSClientConfig = xtls.NewInsecureConfig() client := &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { @@ -138,6 +135,7 @@ func (n *monitorNode) tryRetrievePeerCertificates(ctx context.Context, addr, dom return nil, err } + req.Header.Set("Host", domain) req.Header.Set("User-Agent", "certimate") resp, err := client.Do(req) if err != nil { diff --git a/pkg/core/notifier/providers/email/email.go b/pkg/core/notifier/providers/email/email.go index 631e8995..6b88d385 100644 --- a/pkg/core/notifier/providers/email/email.go +++ b/pkg/core/notifier/providers/email/email.go @@ -2,7 +2,6 @@ package email import ( "context" - "crypto/tls" "errors" "log/slog" "net" @@ -12,6 +11,7 @@ import ( "github.com/domodwyer/mailyak/v3" "github.com/certimate-go/certimate/pkg/core" + xtls "github.com/certimate-go/certimate/pkg/utils/tls" ) type NotifierProviderConfig struct { @@ -79,7 +79,7 @@ func (n *NotifierProvider) Notify(ctx context.Context, subject string, message s var yak *mailyak.MailYak if n.config.SmtpTls { - yakWithTls, err := mailyak.NewWithTLS(smtpAddr, smtpAuth, newTlsConfig()) + yakWithTls, err := mailyak.NewWithTLS(smtpAddr, smtpAuth, xtls.NewCompatibleConfig()) if err != nil { return nil, err } @@ -100,19 +100,3 @@ func (n *NotifierProvider) Notify(ctx context.Context, subject string, message s return &core.NotifyResult{}, nil } - -func newTlsConfig() *tls.Config { - var suiteIds []uint16 - for _, suite := range tls.CipherSuites() { - suiteIds = append(suiteIds, suite.ID) - } - for _, suite := range tls.InsecureCipherSuites() { - suiteIds = append(suiteIds, suite.ID) - } - - // 为兼容国内部分低版本 TLS 的 SMTP 服务商 - return &tls.Config{ - MinVersion: tls.VersionTLS10, - CipherSuites: suiteIds, - } -} diff --git a/pkg/utils/tls/config.go b/pkg/utils/tls/config.go new file mode 100644 index 00000000..d3f25383 --- /dev/null +++ b/pkg/utils/tls/config.go @@ -0,0 +1,34 @@ +package tls + +import ( + "crypto/tls" +) + +// 创建并返回一个兼容低版的 [tls.Config] 对象。 +// +// 出参: +// - config: [tls.Config] 对象。 +func NewCompatibleConfig() *tls.Config { + var suiteIds []uint16 + for _, suite := range tls.CipherSuites() { + suiteIds = append(suiteIds, suite.ID) + } + for _, suite := range tls.InsecureCipherSuites() { + suiteIds = append(suiteIds, suite.ID) + } + + return &tls.Config{ + MinVersion: tls.VersionTLS10, + CipherSuites: suiteIds, + } +} + +// 创建并返回一个不安全的 [tls.Config] 对象。 +// +// 出参: +// - config: [tls.Config] 对象。 +func NewInsecureConfig() *tls.Config { + config := NewCompatibleConfig() + config.InsecureSkipVerify = true + return config +}