-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bundle the CA public key in issued certificate #317
Conversation
If the CA used is only an intermediate CA, and the root CA is trusted by the client, the client needs help verifying the certificate chain.
/test all |
@munnerz I haven't had time yet to run with ACME and Let's Encrypt, but shouldn't that present the same issue as I have here? So I'm thinking if I have done this too quickly... |
@radhus yep you are correct, we don't do this for ACME right now. As per this comment however, ACME v2 will begin returning the intermediate certificate automatically: #292 (comment) As a result, I think I'm happy to accept this change now. v0.3 should include ACMEv2 support, and so the 0.3 release should at least be consistent (and just the :canary won't be for now). Thanks very much for this PR! 😄 |
/ok-to-test |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: munnerz The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
If the CA used is only an intermediate CA, and the root CA is trusted by the client, the client needs help verifying the certificate chain.
This also makes the CA present in the certificate even if it's the root CA.
Which issue this PR fixes:
Trusting certs issued by intermediate CAs used by cert-manager.
Special notes for your reviewer:
I have tested this locally with my own intermediate CA used by cert-manager, issued by my own root CA trusted by my macOS client. The whole certificate chain is now presented in the browser.
The idea to just append the certificates is based on cfssl's mkbundle:
https://github.com/cloudflare/cfssl/blob/1.3.0/cmd/mkbundle/mkbundle.go#L97
Release note: