Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using full cert chain over single certificate #161

Merged
merged 14 commits into from
Mar 17, 2022
Merged

Using full cert chain over single certificate #161

merged 14 commits into from
Mar 17, 2022

Conversation

zendern
Copy link
Collaborator

@zendern zendern commented Jul 19, 2021

Fixes #156 and #73

Found that we were parsing the cert using
CertificateFactory.getCertificate. This was not giving us the full chain
but instead just the domain cert. Which in most places work but not in
all.

To address this we now will get the full chain using
CertificateFactor.getCertificates and pass that on the event to Netty so
that it can be used for initialization.

zendern
zendern commented Jul 19, 2021
View reviewed changes
acme/src/main/java/io/micronaut/acme/services/AcmeService.java Outdated
CertificateFactory cf = CertificateFactory.getInstance("X.509");
File certificate = new File(certLocation, DOMAIN_CRT);
if (certificate.exists()) {
return cf.generateCertificates(Files.newInputStream(certificate.toPath())).toArray(new X509Certificate[0]);
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important change was to call cf.generateCertificates here and then pass this into the CertificateEvent and thus into Netty for initialization.

michaelkoetter
michaelkoetter reviewed Jul 19, 2021
View reviewed changes
acme/src/main/java/io/micronaut/acme/events/CertificateEvent.java Outdated
@@ -24,6 +24,7 @@
public class CertificateEvent {
private final X509Certificate certificate;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this still required, ie. should there be a distinction between "single certificate" and "certificate chain"?
The "single certificate" code path is only used for tls-apln-01 validation, but this could also utilize the fullCertificateChain array (just with a single entry).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yah thats fair. I left it due to the CertificateEvent constructor is public so in theory someone could be using it. But yes implementation wise I could just store the full chain and in the validation cert case an array of 1 instead of 2 objects.

@yawkat
Copy link
Member

yawkat commented Mar 2, 2022

@zendern is there a reason this is still a draft? I would like to merge it, I see no obvious issues.

@yawkat yawkat self-assigned this Mar 3, 2022
zendern added 3 commits March 6, 2022 17:22
@zendern
Using full cert chain over single certificate
33951d2 
Found that we were parsing the cert using
CertificateFactory.getCertificate. This was not giving us the full chain
but instead just the domain cert. Which in most places work but not in
all.

To address this we now will get the full chain using
CertificateFactor.getCertificates and pass that on the event to Netty so
that it can be used for initalization.
@zendern
No need to store another certificate just use the chain
3bfff20
@zendern
No reason we cant deprecate the old constructor and use the new one
1c3fc8d
@zendern
Copy link
Collaborator Author

zendern commented Mar 7, 2022
edited
Loading

@zendern is there a reason this is still a draft? I would like to merge it, I see no obvious issues.

After rebasing I remember now. CI tests were broken but worked locally. Getting into trying to figure out why. Hoping to get it figured out this week so we can get this merged

@zendern zendern marked this pull request as ready for review March 7, 2022 02:03
yawkat
yawkat previously approved these changes Mar 7, 2022
View reviewed changes
sdelamo
sdelamo requested changes Mar 7, 2022
View reviewed changes
Copy link
Contributor

@sdelamo sdelamo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good. A couple of minor things.

acme/src/main/java/io/micronaut/acme/events/CertificateEvent.java Outdated Show resolved Hide resolved
acme/src/main/java/io/micronaut/acme/services/AcmeService.java Outdated Show resolved Hide resolved
acme/src/main/java/io/micronaut/acme/services/AcmeService.java Outdated Show resolved Hide resolved
acme/src/test/groovy/io/micronaut/acme/AcmeCertRefresherMultiDomainsTaskSpec.groovy Outdated Show resolved Hide resolved
acme/src/test/groovy/io/micronaut/acme/AcmeCertRefresherTaskSpec.groovy Outdated Show resolved Hide resolved
.../test/groovy/io/micronaut/acme/challenges/AcmeCertRefresherTaskTlsApln01ChallengeSpec.groovy Outdated Show resolved Hide resolved
...src/test/groovy/io/micronaut/acme/challenges/AcmeCertRefresherTaskHttp01ChallengeSpec.groovy Outdated Show resolved Hide resolved
...src/test/groovy/io/micronaut/acme/challenges/AcmeCertRefresherTaskHttp01ChallengeSpec.groovy Outdated Show resolved Hide resolved
acme/src/test/groovy/io/micronaut/acme/AcmeCertWildcardRefresherTaskSpec.groovy Outdated Show resolved Hide resolved
acme/src/test/groovy/io/micronaut/acme/AcmeCertWildcardRefresherTaskSpec.groovy Outdated Show resolved Hide resolved
sdelamo
sdelamo reviewed Mar 8, 2022
View reviewed changes
acme/src/main/java/io/micronaut/acme/services/AcmeService.java Outdated
@@ -278,7 +303,7 @@ private boolean writeCombinedFile(Certificate certificate) {
try (BufferedWriter writer = Files.newBufferedWriter(domainCsr.toPath(), WRITE, CREATE, TRUNCATE_EXISTING)) {
certificate.writeCertificate(writer);
}
eventPublisher.publishEvent(new CertificateEvent(getCurrentCertificate(), domainKeyPair, false));
eventPublisher.publishEvent(new CertificateEvent(domainKeyPair, false, getFullCertificateChain()));
Copy link
Contributor

@sdelamo sdelamo Mar 8, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if getFullCertificateChain returns an empty array, should we publish the event?. Since CertificateEvent assumes a non empty array due to CertificateEvent::getCert where it gets the first certificate in the array.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved via 6a5dd44

acme/src/main/java/io/micronaut/acme/services/AcmeService.java Outdated
@@ -482,7 +507,7 @@ private void doChallengeSpecificSetup(Authorization auth, Challenge challenge) t
* Setup the certificate that has been saved to disk and configures it for use.
*/
public void setupCurrentCertificate() {
eventPublisher.publishEvent(new CertificateEvent(getCurrentCertificate(), getDomainKeyPair(), false));
eventPublisher.publishEvent(new CertificateEvent(getDomainKeyPair(), false, getFullCertificateChain()));
Copy link
Contributor

@sdelamo sdelamo Mar 8, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if getFullCertificateChain returns an empty array, should we publish the event?. Since CertificateEvent assumes a non empty array due to CertificateEvent::getCert where it gets the first certificate in the array.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved via 6a5dd44

yawkat
yawkat previously approved these changes Mar 9, 2022
View reviewed changes
@recursivecodes
Copy link

Can we try this build again? I'd really love to have this merged soon.

@yawkat yawkat requested a review from sdelamo March 14, 2022 09:47
yawkat
yawkat previously approved these changes Mar 14, 2022
View reviewed changes
@yawkat
Copy link
Member

yawkat commented Mar 14, 2022

I think the sonar CI is just broken. we can ignore it for the merge

@recursivecodes
Copy link

OK - who can do the merge @yawkat?

@yawkat
Copy link
Member

yawkat commented Mar 16, 2022

just waiting for sergio to re-review this. I will handle the rest.

@sdelamo
Copy link
Contributor

sdelamo commented Mar 16, 2022

thanks for the pr @zendern I have change the method signature to return optional 6a5dd44 to be on the safer side.

@sdelamo sdelamo merged commit 2b4eadd into micronaut-projects:master Mar 17, 2022
@recursivecodes
Copy link

I am receiving an exception now when trying 3.1.1.SNAPSHOT:

#211

@recursivecodes
Copy link

Same issue with MN-ACME 3.1.0 on Micronaut 3.2.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelkoetter michaelkoetter michaelkoetter left review comments

@sdelamo sdelamo sdelamo approved these changes

@yawkat yawkat yawkat left review comments

Assignees

@yawkat yawkat

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Intermediate cert not being sent
5 participants
@zendern @yawkat @recursivecodes @sdelamo @michaelkoetter