fix: Ensure transport certificates are available during DANFSE artifact storage#142
Merged
Merged
Conversation
…ct storage Problem ------- In production, DANFSE (PDF) generation failed with: file_get_contents(): Unable to set local cert chain file '/dev/shm/nfse_tls_cert_*' Root cause ---------- Transport certificates were created in temporary files (/dev/shm/nfse_tls_cert_*) for mTLS requests. However, the cleanup closure was being called too early - before storeArtifacts() completed. Timeline in emit()/refresh()/reemit(): 1. makeClient() creates cert files and stores cleanup closure 2. try block completes (emit/query/authorize) 4. storeArtifacts() calls getDanfse() which needs certs ← FAILS Solution -------- 1. TransportCertificateManager: Add fallback from /dev/shm to sys_get_temp_dir() - If /dev/shm unavailable (read-only container, permission issues), use fallback - Better error messaging listing both checked directories 2. InvoiceController: Move cleanup to AFTER storeArtifacts() completes - emit(): Wrap storeArtifacts and post-processing in try/finally after emission - refresh(): Wrap storeArtifacts in try/finally after query completes - reemit(): Wrap storeArtifacts in try/finally after reissuance completes - cancel(): Already OK (doesn't use client after exception handling) This ensures getDanfse() (and any other client operations) complete before certificate cleanup occurs. Testing ------- - Added TransportCertificateCleanupTest to validate getDanfse is called before cleanup happens - Existing tests continue to pass - Code flow now matches implementation requirements Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
In production, DANFSE (PDF) generation failed with:
Users saw "Indisponível" (unavailable) for the DANFSE PDF while the NFS-e was successfully emitted.
Root Cause
Transport certificates were created in temporary files (
/dev/shm/nfse_tls_cert_*) for mTLS requests to the gateway. However, the cleanup closure was being called too early - beforestoreArtifacts()completed.Timeline (buggy flow):
makeClient()creates cert files and stores cleanup closuretryblock completes (emit/query/authorize)finallyblock calls cleanup (DELETES cert files!) ← BUGstoreArtifacts()callsgetDanfse()which needs certs ← FAILSThe error comes from cURL/OpenSSL trying to read the certificate file that was already deleted.
Solution
1. TransportCertificateManager: Add fallback directory strategy
/dev/shmunavailable (read-only container, permission issues), fallback tosys_get_temp_dir()/dev/shmmay be restricted2. InvoiceController: Move cleanup to AFTER client usage completes
Affected methods:
emit(): WrapstoreArtifacts()and post-processing intry/finallyAFTER emission completesrefresh(): WrapstoreArtifacts()intry/finallyAFTER query completesreemit(): WrapstoreArtifacts()intry/finallyAFTER reissuance completescancel(): Already safe (doesn't use client after exception handling)This ensures
getDanfse()(and any other client operations) complete before certificate cleanup occurs.Testing
TransportCertificateCleanupTestto validate thatgetDanfse()is called before cleanupChanges