Enforce newline on cert body/chain before destination uploads? #3685
Labels
Comments
|
Hey Sam, thanks for sharing this with us. Honestly, we haven't experienced any issues with the current destinations we use, and I am not sure what would break, if we change the newline. We can keep an eye out, if this should become needed. |
|
Sounds good to me, thanks! I'll close this for now :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
👋 I noticed that some https servers expect a newline at the end of the cert body and chain when terminating TLS (e.g., golang; older example with kubernetes nginx ingress). The relevant RFC seems to indicate parsers need to handle different newline conventions:
One server failed for me after retrieving a cert from a Lemur destination upload because it thought our PEM block was malformed due to concatenating the domain cert and chain without newlines, and skipped over it. We realized we had introduced the bug ourselves in parsing, however, so not sure how big of an issue this is.
I added a patch in havron@76b1bb7; is there interest in a PR to enforce this for all certs? I wasn't sure what an appropriate way to test this would be, since we'd maybe want to mock a server loading the certs with+without newlines.
The text was updated successfully, but these errors were encountered: