From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 94BE273792
 for <pve-devel@lists.proxmox.com>; Thu,  7 Oct 2021 15:01:26 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 9190D1A8F0
 for <pve-devel@lists.proxmox.com>; Thu,  7 Oct 2021 15:01:26 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 09BE91A8E4
 for <pve-devel@lists.proxmox.com>; Thu,  7 Oct 2021 15:01:26 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id DCD72454AA
 for <pve-devel@lists.proxmox.com>; Thu,  7 Oct 2021 15:01:25 +0200 (CEST)
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Thu,  7 Oct 2021 15:01:18 +0200
Message-Id: <20211007130118.186851-1-f.gruenbichler@proxmox.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.344 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [acme.pm]
Subject: [pve-devel] [PATCH proxmox-acme] support downloading alternate
 chains
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2021 13:01:26 -0000

the current default chains end with an expired root certificate for
maximum compatibility with old Android versions. this breaks some other
older clients (openssl, gnutls) which don't expect chains to contain any
expired certificates, even if they are 'above' the trust anchor.

setting $root will download alternate chains provided by the ACME server
and try to find a chain matching this (sub)string either as subject or
issuer of the last element of the certificate chain.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    only tested with pebble

    writing to a tempfile is a bit ugly, but we are not talking about
    much data here, and the alternative is to have a versioned bump for
    pve-common to teach the cert helper to read from a string/buffer..

 src/PVE/ACME.pm | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index 265482d..0684815 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -442,10 +442,11 @@ sub deactivate_authorization {
 
 # Get certificate
 # GET-as-POST to order's certificate URL
+# if $root is specified, attempts to find a matching alternate chain
 # Expects a '200 OK' reply
 # returns certificate chain in PEM format
 sub get_certificate {
-    my ($self, $order) = @_;
+    my ($self, $order, $root) = @_;
 
     $self->fatal("no certificate URL available (yet?)", $order)
        if !$order->{certificate};
@@ -453,6 +454,28 @@ sub get_certificate {
     my $r = $self->do(POST => $order->{certificate}, '');
     my $return = eval {
 	my $res = __get_result($r, 200, 1);
+	if ($root) {
+	    my $found;
+	    my @links = $r->header('link');
+	    for my $link (@links) {
+		if ($link =~ /^<(.*)>;rel="alternate"$/) {
+		    my $url = $1;
+		    my $chain = eval { __get_result($self->do(POST => $url, ''), 200, 1); };
+		    die "failed to retrieve alternate chain from '$url' - $@\n" if $@;
+		    my @certs = PVE::Certificate::split_pem($chain);
+		    my $root_pem = $certs[-1];
+		    my ($file, $fh) = PVE::Tools::tempfile_contents($root_pem);
+		    my $info = PVE::Certificate::get_certificate_info($file);
+		    if ((defined($info->{subject}) && $info->{subject} =~ m/\Q$root\E/)
+			|| (defined($info->{issuer}) && $info->{issuer} =~ m/\Q$root\E/)) {
+			$res = $chain;
+			$found = 1;
+			last;
+		    }
+		}
+	    }
+	    die "didn't find alternate chain matching '$root'\n" if !$found;
+	}
 	if ($res =~ /^(-----BEGIN CERTIFICATE-----)(.+)(-----END CERTIFICATE-----)$/s) { # untaint
 	    return $1 . $2 . $3;
 	}
-- 
2.30.2