Update dependencies and fix OCSP stapling #6
Conversation
Using the last cert in the chain caused "unauthorized" responses
|
Thanks much for you contribution! I will look at it soon. |
server/ocsp.go
Outdated
| @@ -154,7 +154,7 @@ func (m *ocspManager) touchState(keyName string) { | |||
| ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) | |||
| defer cancel() | |||
|
|
|||
| issuer, err := x509.ParseCertificate(cert.Certificate[len(cert.Certificate)-1]) | |||
| issuer, err := x509.ParseCertificate(cert.Certificate[len(cert.Certificate)-2]) | |||
There was a problem hiding this comment.
cert.Certificate[length-1] shoule be the certificate of "Let's Encrypt", and cert.Certificate[length-2] will be the certificate of "ISRG Root X1", I am not sure why this should be changed to cert.Certificate[length-2] ?
There was a problem hiding this comment.
Well, I can confirm the "unauthorized" responses in log, but have no idea why it happens
There was a problem hiding this comment.
Sorry, I made a mistake, the certificate of "Let's Encrypt" should be cert.Certificate[1], this line should be
issuer, err := x509.ParseCertificate(cert.Certificate[1]), how about your thought?
There was a problem hiding this comment.
Indeed, the second cert in the chain is what we need. I've updated the code to directly specify cert.Certificate[1] here.
Thanks for the review!
Hi
This PR fixes two things:
golang.org/x/cryptoso the correct certificate chain is included in the LE certs (older versions included the expired certificates)Tested these changes and works as expected.
Please let me know if this needs changes.
Thanks!
Kind regards,
Cedric