Fix cert bundle order

This commit is contained in:
xenolf 2015-10-24 04:31:12 +02:00
parent 51a95ee548
commit 2afea79309
2 changed files with 19 additions and 24 deletions

View file

@ -184,9 +184,9 @@ func (c *Client) RevokeCertificate(certificate []byte) error {
return err return err
} }
x509Cert := certificates[len(certificates)-1] x509Cert := certificates[0]
if x509Cert.IsCA { if x509Cert.IsCA {
return fmt.Errorf("Certificate bundle ends with a CA certificate") return fmt.Errorf("Certificate bundle starts with a CA certificate")
} }
encodedCert := base64.URLEncoding.EncodeToString(x509Cert.Raw) encodedCert := base64.URLEncoding.EncodeToString(x509Cert.Raw)
@ -225,9 +225,9 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund
return CertificateResource{}, err return CertificateResource{}, err
} }
x509Cert := certificates[len(certificates)-1] x509Cert := certificates[0]
if x509Cert.IsCA { if x509Cert.IsCA {
return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle ends with a CA certificate", cert.Domain) return CertificateResource{}, fmt.Errorf("[%s] Certificate bundle starts with a CA certificate", cert.Domain)
} }
// This is just meant to be informal for the user. // This is just meant to be informal for the user.
@ -269,16 +269,15 @@ func (c *Client) RenewCertificate(cert CertificateResource, revokeOld bool, bund
if err != nil { if err != nil {
// If we fail to aquire the issuer cert, return the issued certificate - do not fail. // If we fail to aquire the issuer cert, return the issued certificate - do not fail.
logger().Printf("[%s] Could not bundle issuer certificate.\n%v", cert.Domain, err) logger().Printf("[%s] Could not bundle issuer certificate.\n%v", cert.Domain, err)
cert.Certificate = issuedCert
} else { } else {
// Success - prepend the issuer cert to the issued cert. // Success - append the issuer cert to the issued cert.
issuerCert = pemEncode(derCertificateBytes(issuerCert)) issuerCert = pemEncode(derCertificateBytes(issuerCert))
issuerCert = append(issuerCert, issuedCert...) issuedCert = append(issuedCert, issuerCert...)
cert.Certificate = issuerCert
}
} else {
cert.Certificate = issuedCert cert.Certificate = issuedCert
} }
}
cert.Certificate = issuedCert
return cert, nil return cert, nil
} }
@ -482,16 +481,14 @@ func (c *Client) requestCertificate(authz *authorizationResource, result chan Ce
if err != nil { if err != nil {
// If we fail to aquire the issuer cert, return the issued certificate - do not fail. // If we fail to aquire the issuer cert, return the issued certificate - do not fail.
logger().Printf("[%s] Could not bundle issuer certificate.\n%v", authz.Domain, err) logger().Printf("[%s] Could not bundle issuer certificate.\n%v", authz.Domain, err)
cerRes.Certificate = issuedCert
} else { } else {
// Success - prepend the issuer cert to the issued cert. // Success - append the issuer cert to the issued cert.
issuerCert = pemEncode(derCertificateBytes(issuerCert)) issuerCert = pemEncode(derCertificateBytes(issuerCert))
issuerCert = append(issuerCert, issuedCert...) issuedCert = append(issuedCert, issuerCert...)
cerRes.Certificate = issuerCert
} }
} else { }
cerRes.Certificate = issuedCert cerRes.Certificate = issuedCert
}
logger().Printf("[%s] Server responded with a certificate.", authz.Domain) logger().Printf("[%s] Server responded with a certificate.", authz.Domain)
result <- cerRes result <- cerRes
return return

View file

@ -61,17 +61,15 @@ func GetOCSPForCert(bundle []byte) ([]byte, error) {
} }
// Insert it into the slice on position 0 // Insert it into the slice on position 0
// We want it ordered right CA -> CRT // We want it ordered right SRV CRT -> CA
certificates = append(certificates, nil) certificates = append(certificates, issuerCert)
copy(certificates[1:], certificates[0:])
certificates[0] = issuerCert
} }
// We expect the certificate slice to be ordered downwards the chain. // We expect the certificate slice to be ordered downwards the chain.
// CA -> CRT. We need to pull the cert and issuer cert out of it, which should // SRV CRT -> CA. We need to pull the cert and issuer cert out of it,
// always be the last two certificates. // which should always be the last two certificates.
issuedCert := certificates[len(certificates)-1] issuedCert := certificates[0]
issuerCert := certificates[len(certificates)-2] issuerCert := certificates[1]
// Finally kick off the OCSP request. // Finally kick off the OCSP request.
ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil) ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil)