Update with new intermediate cert

wsargent · May 13, 2016 · e79dcf3 · e79dcf3
1 parent 2bd3474
commit e79dcf3
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 13 deletions.
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,4 @@ target
 
 
 conf/dst-x3-root.pem
+conf/letsencrypt-authority-x1.pem
diff --git a/app/controllers/CertificateDownloader.scala b/app/controllers/CertificateDownloader.scala
@@ -1,7 +1,9 @@
 package controllers
 
+import java.net.URL
 import java.nio.file.{FileSystems, Files, Path, StandardOpenOption}
 
+import com.typesafe.config.ConfigObject
 import contexts.WSExecutionContext
 import play.api.Configuration
 import play.api.libs.ws.WSClient
@@ -23,16 +25,22 @@ class CertificateDownloader(ws: WSClient, config:Configuration)(implicit wsExecu
 
   private val logger = org.slf4j.LoggerFactory.getLogger(this.getClass)
 
-  private val letsEncryptRootUrl = config.getString("letsencrypt.root.url").get
-  private val letsEncryptRootPath = toPath(config.getString("letsencrypt.root.path").get)
-  private val certMap = Map(letsEncryptRootUrl -> letsEncryptRootPath)
+  private val certMap: Map[URL, Path] = {
+    import scala.collection.JavaConverters._
+    val letsEncryptRootCertificates = config.getObjectList("letsencrypt.root.certificates").get
+    letsEncryptRootCertificates.asScala.map { certObj: ConfigObject =>
+      val path = certObj.get("path").unwrapped().asInstanceOf[String]
+      val url = certObj.get("url").unwrapped().asInstanceOf[String]
+      new URL(url) -> toPath(path)
+    }.toMap
+  }
 
-  def toPath(s:String) = {
-    FileSystems.getDefault().getPath(s)
+  def toPath(s:String): Path = {
+    FileSystems.getDefault.getPath(s)
   }
 
-  def certificatesExist() = {
-    certMap.exists {
+  def allCertificatesExist(): Boolean = {
+    certMap.forall {
       case (k, v) =>
         certificateExists(v)
     }
@@ -48,9 +56,9 @@ class CertificateDownloader(ws: WSClient, config:Configuration)(implicit wsExecu
     }).map(_ => ())
   }
 
-  def downloadCertificate(certificateUrl: String, path: Path): Future[Path] = {
+  def downloadCertificate(certificateUrl: URL, path: Path): Future[Path] = {
     logger.info(s"downloadCertificate: certificateUrl = $certificateUrl")
-    val future = ws.url(certificateUrl).get().map { response =>
+    val future = ws.url(certificateUrl.toString).get().map { response =>
       response.status match {
         case 200 =>
           logger.info("Create file!")

diff --git a/app/controllers/HomeController.scala b/app/controllers/HomeController.scala
@@ -41,7 +41,7 @@ class HomeController @Inject()(downloader: CertificateDownloader,
 
   def index = Action.async { implicit request =>
     // Download the LC certificates if necessary
-    val downloadFuture = if (downloader.certificatesExist()) {
+    val downloadFuture = if (downloader.allCertificatesExist()) {
       Future.successful(())
     } else {
       downloader.downloadCertificates()

diff --git a/app/controllers/LetsEncryptWSClient.scala b/app/controllers/LetsEncryptWSClient.scala
@@ -30,6 +30,7 @@ class LetsEncryptWSClient(lifecycle: ApplicationLifecycle,
       |      stores = [
       |        # Seems to be required for https://helloworld.letsencrypt.com
       |        { type = "PEM", path = "./conf/dst-x3-root.pem" }
+      |        { type = "PEM", path = "./conf/letsencrypt-authority-x1.pem" }
       |      ]
       |    }
       |  }

diff --git a/conf/application.conf b/conf/application.conf
@@ -8,8 +8,17 @@ play.i18n {
 
 include "ws"
 
-letsencrypt.root.url="https://bugzilla.mozilla.org/attachment.cgi?id=276893"
-letsencrypt.root.path="./conf/dst-x3-root.pem"
+# Use the ascii encoded DER certificate from certificate authority.
+# see https://community.letsencrypt.org/t/helloworld-letsencrypt-org-can-only-find-certificate-with-dst-x3-loaded/
+letsencrypt.root.certificates = [
+  { path: "./conf/dst-x3-root.pem", url: "https://crt.sh/?d=8395" },
+  { path: "./conf/letsencrypt-authority-x1.pem", url:"https://crt.sh/?d=9314792" }
+]
+
+# You can see what certificate chain is being used with:
+#
+# keytool -printcert -sslserver helloworld.letsencrypt.org -rfc
+
 
 # It can be helpful to run WS future results in a different dispatcher
 # so it doesn't compete with the action EC that does page renders...

diff --git a/conf/ws.conf b/conf/ws.conf
@@ -5,9 +5,10 @@ play.ws {
   # ~~~~~
   ssl {
     debug {
-      # Also export JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=x509"
+      # Also export JAVA_OPTS="$JAVA_OPTS -Djava.security.debug='certpath x509'"
       trustmanager = true
       certpath = true
+      all = true
     }
 
     trustManager = {