From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 9A6EA7382B for ; Thu, 7 Oct 2021 18:32:09 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 87EDC1D6A8 for ; Thu, 7 Oct 2021 18:31:39 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 1A4091D69D for ; Thu, 7 Oct 2021 18:31:34 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E2A1C458DA for ; Thu, 7 Oct 2021 18:31:33 +0200 (CEST) Date: Thu, 7 Oct 2021 18:31:30 +0200 From: Stoiko Ivanov To: Fabian =?UTF-8?B?R3LDvG5iaWNobGVy?= Cc: Proxmox VE development discussion Message-ID: <20211007183130.315e2f2c@rosa.proxmox.com> In-Reply-To: <20211007130118.186851-1-f.gruenbichler@proxmox.com> References: <20211007130118.186851-1-f.gruenbichler@proxmox.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.381 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [acme.pm] Subject: Re: [pve-devel] [PATCH proxmox-acme] support downloading alternate chains X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2021 16:32:09 -0000 Huge Thanks for addressing this so fast! quickly tested it on a (publicly accessible) system of mine against Let's Encrypt official API (boulder) It works as advertised and fetches the (shorter) certificate chain without the signed ISRG X1 as intermediate (signed by DST Root CA X3) So this fixes the immediate issue. However, it only works because if a 'root' is provided we only fetch the alternative chains - if we'd compare the original cert we would get that one back (since there the subject would match 'ISRG', as opposed to the issuer). I'd suggest to follow acme.sh: https://github.com/acmesh-official/acme.sh/blob/8fcecd59a0fd991f1fb4248692a= f63889bb90d81/acme.sh#L4945 by: * only matching the issuer * comparing also the initial certificate as well for the root * potentially make the regex-match case-insensitive (to also match acme.sh) but can also provide this as a follow-up if you're busy elsewhere On Thu, 7 Oct 2021 15:01:18 +0200 Fabian Gr=C3=BCnbichler wrote: > the current default chains end with an expired root certificate for > maximum compatibility with old Android versions. this breaks some other > older clients (openssl, gnutls) which don't expect chains to contain any > expired certificates, even if they are 'above' the trust anchor. >=20 > setting $root will download alternate chains provided by the ACME server > and try to find a chain matching this (sub)string either as subject or > issuer of the last element of the certificate chain. >=20 > Signed-off-by: Fabian Gr=C3=BCnbichler > --- >=20 > Notes: > only tested with pebble >=20 > writing to a tempfile is a bit ugly, but we are not talking about > much data here, and the alternative is to have a versioned bump for > pve-common to teach the cert helper to read from a string/buffer.. >=20 > src/PVE/ACME.pm | 25 ++++++++++++++++++++++++- > 1 file changed, 24 insertions(+), 1 deletion(-) >=20 > diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm > index 265482d..0684815 100644 > --- a/src/PVE/ACME.pm > +++ b/src/PVE/ACME.pm > @@ -442,10 +442,11 @@ sub deactivate_authorization { > =20 > # Get certificate > # GET-as-POST to order's certificate URL > +# if $root is specified, attempts to find a matching alternate chain > # Expects a '200 OK' reply > # returns certificate chain in PEM format > sub get_certificate { > - my ($self, $order) =3D @_; > + my ($self, $order, $root) =3D @_; > =20 > $self->fatal("no certificate URL available (yet?)", $order) > if !$order->{certificate}; > @@ -453,6 +454,28 @@ sub get_certificate { > my $r =3D $self->do(POST =3D> $order->{certificate}, ''); > my $return =3D eval { > my $res =3D __get_result($r, 200, 1); > + if ($root) { > + my $found; > + my @links =3D $r->header('link'); > + for my $link (@links) { > + if ($link =3D~ /^<(.*)>;rel=3D"alternate"$/) { > + my $url =3D $1; > + my $chain =3D eval { __get_result($self->do(POST =3D> $url, ''), 2= 00, 1); }; > + die "failed to retrieve alternate chain from '$url' - $@\n" if $@; > + my @certs =3D PVE::Certificate::split_pem($chain); > + my $root_pem =3D $certs[-1]; > + my ($file, $fh) =3D PVE::Tools::tempfile_contents($root_pem); > + my $info =3D PVE::Certificate::get_certificate_info($file); > + if ((defined($info->{subject}) && $info->{subject} =3D~ m/\Q$root\= E/) > + || (defined($info->{issuer}) && $info->{issuer} =3D~ m/\Q$root\E/)) { > + $res =3D $chain; > + $found =3D 1; > + last; > + } > + } > + } > + die "didn't find alternate chain matching '$root'\n" if !$found; > + } > if ($res =3D~ /^(-----BEGIN CERTIFICATE-----)(.+)(-----END CERTIFICATE-= ----)$/s) { # untaint > return $1 . $2 . $3; > }