Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/acme/autocert: allow easy use of certificate alternate chains #48747

Open
hochhaus opened this issue Oct 2, 2021 · 16 comments
Open

x/crypto/acme/autocert: allow easy use of certificate alternate chains #48747

hochhaus opened this issue Oct 2, 2021 · 16 comments
Assignees
@rolandshoemaker
Labels
FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@hochhaus
Copy link

hochhaus commented Oct 2, 2021
edited

What version of Go are you using (go version)?

$ go version
go version go1.17.1 linux/amd64

Does this issue reproduce with the latest release?

Yes (using golang.org/x/crypto v0.0.0-20210921155107-089bfa567519)

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/ahochhaus/.cache/go-build"
GOENV="/home/ahochhaus/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/ahochhaus/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/ahochhaus/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/ahochhaus/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/ahochhaus/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17.1"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1798779825=/tmp/go-build -gno-record-gcc-switches"

What did you do?

The new acme Client.ListCertAlternates API from @jameshartig and @FiloSottile is great when directly using an acme client. However, most users likely use autocert instead and no easy method to select an alternative / preferred chain is provided.

What did you expect to see?

An easy way to select the preferred certificate chain in autocert.

What did you see instead?

The need to use the acme library directly to select an alternate cert chain.
@mknyszek mknyszek changed the title autocert: allow easy use of certificate alternate chains x/crypto/acme/autocert: allow easy use of certificate alternate chains Oct 4, 2021
@mknyszek mknyszek added FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Oct 4, 2021
@mknyszek mknyszek added this to the Unreleased milestone Oct 4, 2021
@mknyszek
Copy link
Contributor

mknyszek commented Oct 4, 2021

CC @FiloSottile @rolandshoemaker via https://dev.golang.org/owners

@andreasschulze
Copy link

Hello, are there any updates?

@hochhaus
Copy link
Author

hochhaus commented Jan 7, 2022

@andreasschulze If you are looking for a shot term work around you can use https://github.com/hochhaus/crypto/commit/ba7d272dee0b9dccf253ddc91a14797a6af88f47.

If this change is directionally acceptable to an OWNER I could clean it up and submit upstream.

@andreasschulze
Copy link

@hochhaus: my go skills are limited. Could you show me how to use your version https://github.com/hochhaus/crypto/commit/ba7d272dee0b9dccf253ddc91a14797a6af88f47?

I would try it here: https://github.com/andreasschulze/scmdhttpd/blob/main/scmdhttpd.go

@hochhaus
Copy link
Author

hochhaus commented Feb 4, 2022
edited

@andreasschulze Absolutely. The API change is very minimal. Basically just add the PreferredChain to your autocert.Manager. It might look something like:

cm := &autocert.Manager{
  Cache:      autocert.DirCache(filepath.Join(*certdir, certsDir)),
  Prompt:     autocert.AcceptTOS,
  HostPolicy: hostPolicy(),
  PreferredChain: "ISRG Root X1",
}

Depending on your needs you will need to modify the value of the PreferredChain.

@andreasschulze
Copy link

yes, PreferredChain: "ISRG Root X1" is what most users would choose ...

how do I decleare "please use https://github.com/hochhaus/crypto/commit/ba7d272dee0b9dccf253ddc91a14797a6af88f47"?
I assume, I've to change something here?

@hochhaus
Copy link
Author

hochhaus commented Feb 5, 2022

@andreasschulze I use bazel / rules_go (instead of the normal go build tools) so unfortunately I'm not sure the correct method to plug this into scmdhttpd. Does updating the import to github.com/hochhaus/crypto/acme/autocert not work?

@andreasschulze
Copy link

ok, this is my change

I've removed all certs from cache and let autocert fetch a new one. But the server still deliver DST Root CA X3
Checked with openssl s_client -connect scmdhttpd.example:443 -showcerts ...

The file in the cache contain 3 PEM blocks.

  • leaf issued by R3
  • R3 issued by ISRG Root X1
  • ISRG Root X1 issued by the expired DST Root CA X3

@hochhaus
Copy link
Author

hochhaus commented Feb 5, 2022

Hi @andreasschulze. Thanks. You are correct -- my change is buggy. Can you try https://github.com/hochhaus/crypto/commit/cceb102a4601f585dbc03ecdff0ae8483cd1f310 instead?

I reimplemented this feature from memory without testing as it originally was written in a closed source repo. During the rewrite I incorrectly checked x509Cert.Subject.CommonName instead of x509Cert.Issuer.CommonName.

@andreasschulze
Copy link

Yea! with this commit, go1.18beta2 and a forced cert renew the server now no longer present DST Root CA X3 in the TLS handshake

@hochhaus
Copy link
Author

hochhaus commented Feb 5, 2022

Glad it worked! Thanks for debugging.

@andreasschulze
Copy link

andreasschulze commented Feb 5, 2022
edited

now we've to wait your change get merged upstream ...

@hochhaus
Copy link
Author

hochhaus commented Feb 5, 2022

If an OWNER is willing to review I will clean it up, add tests and send it out.

@Oidlichtnwoada
Copy link

@hochhaus Could you please make a pull request with your change?

@andreasschulze
Copy link

Webserver using acme/autocert/autocert.go still deliver the old "DST Root CA X3". Users like to disable this.

is there a chance, to get this fixed (at least let the user have a choice) in go-1.20? What would be needed? I'like to see some progress.

@rolandshoemaker rolandshoemaker self-assigned this Jan 10, 2023
@andreasschulze
Copy link

are there any news / progress?
using go-1.21 acme/autocert/autocert.go still deliver the old "DST Root CA X3" :-/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rolandshoemaker rolandshoemaker

Labels
FeatureRequest NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@mknyszek @rolandshoemaker @hochhaus @andreasschulze @Oidlichtnwoada