x/crypto/acme/autocert: handle short cert lifetimes #64997
Comments
dmitshur
added
the
NeedsInvestigation
|
CC @bradfitz, @rolandshoemaker, @golang/security. |
|
Let's Encrypt will to begin offering short-term certificates as an option in the future as well, like 7-day certificates. The current behaviour is going to be problematic for us, and so it would be good to have this changed well in advance of anything we do, to make that transition easier and avoid needing to block misbehaving clients. I would recommend the 2/3 fraction instead of 30 days. |
|
Since this will de facto be an API change it should go through the proposal process. It sounds like a plausible change would be to make the doc comment for This maintains the current behavior for very long lived certs (unlikely to be particularly common, but 🤷), while introducing the more ideal behavior for shorter lived ones. |
rolandshoemaker
changed the title
dmitshur
removed
the
NeedsInvestigation
ianlancetaylor
added
the
Proposal-Crypto
|
I believe some WebPKI CAs are issuing 1 year certificates via ACME today, and probably some private ones too, so it does make sense to me to include a "lesser of" clause here. |
rsc
changed the title
|
Based on the discussion above, this proposal seems like a likely accept. The proposal is #64997 (comment). |
|
No change in consensus, so accepted. 🎉 The proposal is #64997 (comment). |
rsc
changed the title
|
Is anyone planning to work on this already? If not, I can give it a go. |
|
I'm unlikely to get to this any time soon, if you'd like to send a CL for it I'd be happy to review. |
|
Change https://go.dev/cl/579695 mentions this issue: |
dmitshur
added
the
FixPending
Go version
n/a (x/crypto v0.17.0, latest at time of writing)
Output of
go envin your module/workspace:What did you do?
Use autocert with step-ca as ACME server (https://smallstep.com/docs/step-ca/) for internal testing. I created an acme.Client with a DirectoryURL pointing to step-ca, but I did not change autocert.Manager.RenewBefore.
What did you see happen?
Autocert retrieved a certificate, so that is working as intended.
However, autocert immediate starts and keeps refreshing the certificate. That's because the default RenewBefore is 30 days, which is sensible for Let's Encrypt's 90 day certificate validity period. However, step-ca hands out short-lived certificates valid for 1 day. So when a new certificate is retrieved, it is refreshed immediately, ad infinitum.
What did you expect to see?
No refresh loop.
Of course, I should have set autocert.Manager.RenewBefore to match the default 1 day certificate validity period of a new step-ca instance. That would have prevented this problem. However, I hadn't made RenewBefore configurable in my application, so instead I changed the step-ca config to issue certificates with a lifetime of 31 days. I suspect more people could run into this when configuring alternative ACME providers in the future.
I think it would be helpful to change the behavior of a zero RenewBefore value. Instead of using 30 days, we can set the time at which to renew to 2/3 of the certificate validity period. For Let's Encrypt, that would still be 30 days before expiration. For a 1 day certificate, it would be 8 hour before the expiration. If a certificate is valid for 12 months, it would be at 4 months before expiration (which feels like it may be too early, but not harmful, and also not likely: one of the advantages of ACME is enabling shorter-lived certificates, desirable due to revocation issues).
At the very least, we should probably add a check to not renew an issued certificate immediately. E.g. have a minimum "next refresh delay" of 1 hour.
I can make a CL if there is any interest in the idea.
The text was updated successfully, but these errors were encountered: