Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/acme: NameToCertificate is not used #22869

Closed
winteraz opened this issue Nov 24, 2017 · 4 comments
Closed

x/crypto/acme: NameToCertificate is not used #22869

winteraz opened this issue Nov 24, 2017 · 4 comments
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
Unreleased

Comments

@winteraz
Copy link

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.9

Does this issue reproduce with the latest release?

yes.

What operating system and processor architecture are you using (go env)?

linux, amd64

What did you do?

I'm trying to create a server that serves encrypted traffic using ACME for certain domains and using NameToCertificate for other domains not in the ACME whitelist. In my use case I have several domain names whitelisted using acme (e.g. example.com, example1.com) and one served using NameToCertificate( *.example.com) due the fact the ACME provider(Letsencrypt) doesn't support wildcard.



func CertificatesFromFile(crt, key string) (map[string]*tls.Certificate, error) {
	cer, err := tls.LoadX509KeyPair(crt, key)
	if err != nil {
		return nil, err
	}
	cfg := &tls.Config{Certificates: []tls.Certificate{cer}}
	cfg.BuildNameToCertificate()
	return cfg.NameToCertificate, nil
}

// this supports both acme and file based certificates
func ListenAndServeFileCert(hn http.Handler, port int, nameToCertificate map[string]*tls.Certificate, domain ...string) {

	m := autocert.Manager{
		Prompt:     autocert.AcceptTOS,
		HostPolicy: autocert.HostWhitelist(domain...),
		Cache:      autocert.DirCache("/root/letsencrypt"),
	}

	config := &tls.Config{
		GetCertificate:    m.GetCertificate,
		NameToCertificate: nameToCertificate,
	}
	for k := range nameToCertificate {
		config.Certificates = append(config.Certificates, *nameToCertificate[k])
	}
	s := &http.Server{
		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
		Handler:      hn,
		Addr:         ":" + strconv.Itoa(port),
		TLSConfig:    config,
	}


	panic(s.ListenAndServeTLS("", ""))
}

What did you expect to see?

When a domain that's not whitelisted in the acme config is requested I expected tls to range over NameToCertificate and selected a certificate matching the domain (in my case a wildcard certificate *.example.com)

What did you see instead?

2017/11/24 11:11:00 http: TLS handshake error from x.x.x.x:34356: acme/autocert: host not configured
@winteraz
Copy link
Author

winteraz commented Nov 24, 2017
edited

As workaround I wrapped the expected behaviour in a GetCertificate. It works but I think this is still a bug that should be fixed.

getCert := func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
		crt, err := m.GetCertificate(hello)
		if err == nil && crt != nil{
			return crt, nil
		}
		// look on nameToCertificate
		for domain, crt := range nameToCertificate {
			// expect wildcard
			ok, err := regexp.MatchString("."+domain, hello.ServerName)
			if err != nil {
				log.Error(err)
				continue
			}
			if ok {
				return crt, nil
			}
		}

		return nil, fmt.Errorf("No name cert found for %s", hello.ServerName)
	}

@x1ddos
Copy link

x1ddos commented Nov 24, 2017

Not sure what it is exactly that the issue here describes as a bug in x/crypto/acme/autocert. The error "host not configured" means that the host is not allowed. You enforced with autocert.HostWhitelist(domain...).

Perhaps, you just want a custom host policy?
It is just a function which you can provide: https://godoc.org/golang.org/x/crypto/acme/autocert#HostPolicy.

If you look at the HostWhitelist docs, it says:

Only exact matches are currently supported. Subdomains, regexp or wildcard will not match.

Is that what this bug is about, you'd like HostWhitelist to support wildcard?

@bradfitz bradfitz changed the title crypto/acme: NameToCertificate is not used x/crypto/acme: NameToCertificate is not used Nov 24, 2017
@gopherbot gopherbot added this to the Unreleased milestone Nov 24, 2017
@bradfitz
Copy link
Contributor

/cc @x1ddos

@titanous titanous added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Dec 6, 2017
@gopherbot
Copy link

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@golang golang locked and limited conversation to collaborators Jan 6, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@bradfitz @titanous @x1ddos @gopherbot @winteraz