From 2afea7930985e2f996f469590b6686dba2b09ffb Mon Sep 17 00:00:00 2001 From: xenolf Date: Sat, 24 Oct 2015 04:31:12 +0200 Subject: [PATCH] Fix cert bundle order --- acme/client.go | 29 +++++++++++++---------------- acme/crypto.go | 14 ++++++-------- 2 files changed, 19 insertions(+), 24 deletions(-) diff --git a/acme/client.go b/acme/client.go index d7ae3b82..f481b208 100644 --- a/acme/client.go +++ b/acme/client.go @@ -184,9 +184,9 @@ func (c *Client) RevokeCertificate(certificate []byte) error { return err } - x509Cert := certificates[len(certificates)-1] + x509Cert := certificates[0] if x509Cert.IsCA { - return fmt.Errorf("Certificate bundle ends with a CA certificate") + return fmt.Errorf("Certificate bundle starts with a CA certificate") } encodedCert := base64.URLEncoding.EncodeToString(x509Cert.Raw) @@ -225,9 +225,9 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund return CertificateResource{}, err } - x509Cert := certificates[len(certificates)-1] + x509Cert := certificates[0] if x509Cert.IsCA { - return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle ends with a CA certificate", cert.Domain) + return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle starts with a CA certificate", cert.Domain) } // This is just meant to be informal for the user. @@ -269,16 +269,15 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund if err != nil { // If we fail to aquire the issuer cert, return the issued certificate - do not fail. logger().Printf("[%s] Could not bundle issuer certificate.\n%v", cert.Domain, err) - cert.Certificate = issuedCert } else { - // Success - prepend the issuer cert to the issued cert. + // Success - append the issuer cert to the issued cert. issuerCert = pemEncode(derCertificateBytes(issuerCert)) - issuerCert = append(issuerCert, issuedCert...) - cert.Certificate = issuerCert + issuedCert = append(issuedCert, issuerCert...) + cert.Certificate = issuedCert } - } else { - cert.Certificate = issuedCert } + + cert.Certificate = issuedCert return cert, nil } @@ -482,16 +481,14 @@ func (c *Client) requestCertificate(authz *authorizationResource, result chan Ce if err != nil { // If we fail to aquire the issuer cert, return the issued certificate - do not fail. logger().Printf("[%s] Could not bundle issuer certificate.\n%v", authz.Domain, err) - cerRes.Certificate = issuedCert } else { - // Success - prepend the issuer cert to the issued cert. + // Success - append the issuer cert to the issued cert. issuerCert = pemEncode(derCertificateBytes(issuerCert)) - issuerCert = append(issuerCert, issuedCert...) - cerRes.Certificate = issuerCert + issuedCert = append(issuedCert, issuerCert...) } - } else { - cerRes.Certificate = issuedCert } + + cerRes.Certificate = issuedCert logger().Printf("[%s] Server responded with a certificate.", authz.Domain) result <- cerRes return diff --git a/acme/crypto.go b/acme/crypto.go index b928271c..0054eb77 100644 --- a/acme/crypto.go +++ b/acme/crypto.go @@ -61,17 +61,15 @@ func GetOCSPForCert(bundle []byte) ([]byte, error) { } // Insert it into the slice on position 0 - // We want it ordered right CA -> CRT - certificates = append(certificates, nil) - copy(certificates[1:], certificates[0:]) - certificates[0] = issuerCert + // We want it ordered right SRV CRT -> CA + certificates = append(certificates, issuerCert) } // We expect the certificate slice to be ordered downwards the chain. - // CA -> CRT. We need to pull the cert and issuer cert out of it, which should - // always be the last two certificates. - issuedCert := certificates[len(certificates)-1] - issuerCert := certificates[len(certificates)-2] + // SRV CRT -> CA. We need to pull the cert and issuer cert out of it, + // which should always be the last two certificates. + issuedCert := certificates[0] + issuerCert := certificates[1] // Finally kick off the OCSP request. ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil)