[pve-devel] [PATCH proxmox-acme] support downloading alternate chains

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH proxmox-acme] support downloading alternate chains
@ 2021-10-07 13:01 Fabian Grünbichler
  2021-10-07 16:31 ` Stoiko Ivanov
  0 siblings, 1 reply; 2+ messages in thread
From: Fabian Grünbichler @ 2021-10-07 13:01 UTC (permalink / raw)
  To: pve-devel

the current default chains end with an expired root certificate for
maximum compatibility with old Android versions. this breaks some other
older clients (openssl, gnutls) which don't expect chains to contain any
expired certificates, even if they are 'above' the trust anchor.

setting $root will download alternate chains provided by the ACME server
and try to find a chain matching this (sub)string either as subject or
issuer of the last element of the certificate chain.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    only tested with pebble

    writing to a tempfile is a bit ugly, but we are not talking about
    much data here, and the alternative is to have a versioned bump for
    pve-common to teach the cert helper to read from a string/buffer..

 src/PVE/ACME.pm | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index 265482d..0684815 100644
--- a/src/PVE/ACME.pm
+++ b/src/PVE/ACME.pm
@@ -442,10 +442,11 @@ sub deactivate_authorization {
 
 # Get certificate
 # GET-as-POST to order's certificate URL
+# if $root is specified, attempts to find a matching alternate chain
 # Expects a '200 OK' reply
 # returns certificate chain in PEM format
 sub get_certificate {
-    my ($self, $order) = @_;
+    my ($self, $order, $root) = @_;
 
     $self->fatal("no certificate URL available (yet?)", $order)
        if !$order->{certificate};
@@ -453,6 +454,28 @@ sub get_certificate {
     my $r = $self->do(POST => $order->{certificate}, '');
     my $return = eval {
 	my $res = __get_result($r, 200, 1);
+	if ($root) {
+	    my $found;
+	    my @links = $r->header('link');
+	    for my $link (@links) {
+		if ($link =~ /^<(.*)>;rel="alternate"$/) {
+		    my $url = $1;
+		    my $chain = eval { __get_result($self->do(POST => $url, ''), 200, 1); };
+		    die "failed to retrieve alternate chain from '$url' - $@\n" if $@;
+		    my @certs = PVE::Certificate::split_pem($chain);
+		    my $root_pem = $certs[-1];
+		    my ($file, $fh) = PVE::Tools::tempfile_contents($root_pem);
+		    my $info = PVE::Certificate::get_certificate_info($file);
+		    if ((defined($info->{subject}) && $info->{subject} =~ m/\Q$root\E/)
+			|| (defined($info->{issuer}) && $info->{issuer} =~ m/\Q$root\E/)) {
+			$res = $chain;
+			$found = 1;
+			last;
+		    }
+		}
+	    }
+	    die "didn't find alternate chain matching '$root'\n" if !$found;
+	}
 	if ($res =~ /^(-----BEGIN CERTIFICATE-----)(.+)(-----END CERTIFICATE-----)$/s) { # untaint
 	    return $1 . $2 . $3;
 	}
-- 
2.30.2





^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [pve-devel] [PATCH proxmox-acme] support downloading alternate chains
  2021-10-07 13:01 [pve-devel] [PATCH proxmox-acme] support downloading alternate chains Fabian Grünbichler
@ 2021-10-07 16:31 ` Stoiko Ivanov
  0 siblings, 0 replies; 2+ messages in thread
From: Stoiko Ivanov @ 2021-10-07 16:31 UTC (permalink / raw)
  To: Fabian Grünbichler; +Cc: Proxmox VE development discussion

Huge Thanks for addressing this so fast!

quickly tested it on a (publicly accessible) system of mine
against Let's Encrypt official API (boulder)

It works as advertised and fetches the (shorter) certificate chain without
the signed ISRG X1 as intermediate (signed by DST Root CA X3)

So this fixes the immediate issue.

However, it only works because if a 'root' is provided we only fetch the
alternative chains - if we'd compare the original cert we would get that
one back
(since there the subject would match 'ISRG', as opposed to the issuer).

I'd suggest to follow acme.sh:
https://github.com/acmesh-official/acme.sh/blob/8fcecd59a0fd991f1fb4248692af63889bb90d81/acme.sh#L4945
by:
* only matching the issuer
* comparing also the initial certificate as well for the root
* potentially make the regex-match case-insensitive (to also match acme.sh)


but can also provide this as a follow-up if you're busy elsewhere


On Thu,  7 Oct 2021 15:01:18 +0200
Fabian Grünbichler <f.gruenbichler@proxmox.com> wrote:

> the current default chains end with an expired root certificate for
> maximum compatibility with old Android versions. this breaks some other
> older clients (openssl, gnutls) which don't expect chains to contain any
> expired certificates, even if they are 'above' the trust anchor.
> 
> setting $root will download alternate chains provided by the ACME server
> and try to find a chain matching this (sub)string either as subject or
> issuer of the last element of the certificate chain.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> 
> Notes:
>     only tested with pebble
> 
>     writing to a tempfile is a bit ugly, but we are not talking about
>     much data here, and the alternative is to have a versioned bump for
>     pve-common to teach the cert helper to read from a string/buffer..
> 
>  src/PVE/ACME.pm | 25 ++++++++++++++++++++++++-
>  1 file changed, 24 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index 265482d..0684815 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -442,10 +442,11 @@ sub deactivate_authorization {
>  
>  # Get certificate
>  # GET-as-POST to order's certificate URL
> +# if $root is specified, attempts to find a matching alternate chain
>  # Expects a '200 OK' reply
>  # returns certificate chain in PEM format
>  sub get_certificate {
> -    my ($self, $order) = @_;
> +    my ($self, $order, $root) = @_;
>  
>      $self->fatal("no certificate URL available (yet?)", $order)
>         if !$order->{certificate};
> @@ -453,6 +454,28 @@ sub get_certificate {
>      my $r = $self->do(POST => $order->{certificate}, '');
>      my $return = eval {
>  	my $res = __get_result($r, 200, 1);
> +	if ($root) {
> +	    my $found;
> +	    my @links = $r->header('link');
> +	    for my $link (@links) {
> +		if ($link =~ /^<(.*)>;rel="alternate"$/) {
> +		    my $url = $1;
> +		    my $chain = eval { __get_result($self->do(POST => $url, ''), 200, 1); };
> +		    die "failed to retrieve alternate chain from '$url' - $@\n" if $@;
> +		    my @certs = PVE::Certificate::split_pem($chain);
> +		    my $root_pem = $certs[-1];
> +		    my ($file, $fh) = PVE::Tools::tempfile_contents($root_pem);
> +		    my $info = PVE::Certificate::get_certificate_info($file);
> +		    if ((defined($info->{subject}) && $info->{subject} =~ m/\Q$root\E/)
> +			|| (defined($info->{issuer}) && $info->{issuer} =~ m/\Q$root\E/)) {
> +			$res = $chain;
> +			$found = 1;
> +			last;
> +		    }
> +		}
> +	    }
> +	    die "didn't find alternate chain matching '$root'\n" if !$found;
> +	}
>  	if ($res =~ /^(-----BEGIN CERTIFICATE-----)(.+)(-----END CERTIFICATE-----)$/s) { # untaint
>  	    return $1 . $2 . $3;
>  	}





^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-10-07 16:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-07 13:01 [pve-devel] [PATCH proxmox-acme] support downloading alternate chains Fabian Grünbichler
2021-10-07 16:31 ` Stoiko Ivanov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal