Page MenuHomePhabricator
Create Task
Maniphest T218418

CN + SNI list on config file doesn't match issued certificate on some scenarios
Closed, ResolvedPublic
Actions

Description

today, @Andrew accidentally hit an interesting corner case on acme-chief. He committed the following config as part of https://gerrit.wikimedia.org/r/c/operations/puppet/+/496785:

ldap-labtest:
    CN: 'ldap-labtest.eqiad.wikimedia.org'
    SNI:
    - 'labtestservices2001.wikimedia.org'
    challenge: dns-01
    authorized_regexes:
    - '^labtestservices2001\.wikimedia\.org'

as you can notice, the CN is not included in the SAN/SNI list, but Let's Encrypt always includes the CN in the SNI list. On the first attempt. acme-chief was able to issue the certificate as expected. But this triggers the following behaviour on certificate status re-evaluation:

Mar 15 15:00:01 acmechief1001 acme-chief-backend[14291]: Certificate ldap-labtest type ec-prime256v1 has SANs {'labtestservices2001.wikimedia.org', 'ldap-labtest.eqiad.wikimedia.org'} but is configured for {'labtestservices2001.wikimedia.org'}, moving back to re-issue
Mar 15 15:00:01 acmechief1001 acme-chief-backend[14291]: Certificate ldap-labtest type rsa-2048 has SANs {'labtestservices2001.wikimedia.org', 'ldap-labtest.eqiad.wikimedia.org'} but is configured for {'labtestservices2001.wikimedia.org'}, moving back to re-issue

of course this triggers an infinite loop, hammering Let's Encrypt rate limits and every request related to that configured certificate is rejected by Let's Encrypt driving acme-chief crazy

Details

SubjectRepoBranchLines +/-
debian: Add release 0.13 to changelogoperations/software/acme-chiefdebian+8 -0
Release 0.13operations/software/acme-chiefdebian+2 -2
Release 0.13operations/software/acme-chiefmaster+2 -2
acme-chief: Ensure that the CN is part of the SNI list for certs configoperations/software/acme-chiefdebian+6 -0
acme-chief: Ensure that the CN is part of the SNI list for certs configoperations/software/acme-chiefmaster+6 -0
Customize query in gerrit

Related Objects

Event Timeline

Vgutierrez triaged this task as Medium priority.Mar 15 2019, 6:23 PM
Vgutierrez created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 15 2019, 6:23 PM
Krenair subscribed.Mar 15 2019, 6:52 PM

we should probably reject configs that don't include CN in SAN

Vgutierrez added a comment.Mar 15 2019, 6:53 PM

that's the easiest/saner way of solving this issue :)

gerritbot subscribed.Mar 18 2019, 8:16 AM

Change 497242 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] acme-chief: Ensure that the CN is part of the SNI list for certs config

https://gerrit.wikimedia.org/r/497242

gerritbot added a project: Patch-For-Review.Mar 18 2019, 8:16 AM
Vgutierrez added a comment.Mar 18 2019, 8:21 AM

@Krenair I think that the proposed patch is even simpler. It ensures that the CN is always part of the SNI list

Vgutierrez mentioned this in rOSAC69dd70d60d63: acme-chief: Ensure that the CN is part of the SNI list for certs config.Mar 18 2019, 8:22 AM
Vgutierrez mentioned this in T218538: Handle ACME directory 429 rate limit responses properly.Mar 18 2019, 8:27 AM
Vgutierrez mentioned this in rOSACcc7ea11904e6: acme-chief: Ensure that the CN is part of the SNI list for certs config.Mar 18 2019, 11:07 AM
gerritbot added a comment.Mar 18 2019, 11:08 AM

Change 497242 merged by Vgutierrez:
[operations/software/acme-chief@master] acme-chief: Ensure that the CN is part of the SNI list for certs config

https://gerrit.wikimedia.org/r/497242

jijiki mentioned this in rOSACe55519293b5f: acme-chief: Ensure that the CN is part of the SNI list for certs config.Mar 18 2019, 4:31 PM
gerritbot added a comment.Mar 19 2019, 2:57 AM

Change 497439 had a related patch set uploaded (by Alex Monk; owner: Vgutierrez):
[operations/software/acme-chief@debian] acme-chief: Ensure that the CN is part of the SNI list for certs config

https://gerrit.wikimedia.org/r/497439

gerritbot added a comment.Mar 19 2019, 3:36 AM

Change 497444 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/software/acme-chief@master] Release 0.12

https://gerrit.wikimedia.org/r/497444

gerritbot added a comment.Mar 19 2019, 3:34 PM

Change 497444 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/software/acme-chief@master] Release 0.13

https://gerrit.wikimedia.org/r/497444

gerritbot added a comment.Mar 19 2019, 3:34 PM

Change 497439 merged by jenkins-bot:
[operations/software/acme-chief@debian] acme-chief: Ensure that the CN is part of the SNI list for certs config

https://gerrit.wikimedia.org/r/497439

gerritbot added a comment.Mar 19 2019, 3:46 PM

Change 497444 merged by Vgutierrez:
[operations/software/acme-chief@master] Release 0.13

https://gerrit.wikimedia.org/r/497444

gerritbot added a comment.Mar 19 2019, 3:50 PM

Change 497527 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/software/acme-chief@debian] Release 0.13

https://gerrit.wikimedia.org/r/497527

gerritbot added a comment.Mar 19 2019, 3:54 PM

Change 497527 merged by jenkins-bot:
[operations/software/acme-chief@debian] Release 0.13

https://gerrit.wikimedia.org/r/497527

gerritbot added a comment.Mar 19 2019, 3:57 PM

Change 497532 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/software/acme-chief@debian] debian: Add release 0.13 to changelog

https://gerrit.wikimedia.org/r/497532

gerritbot added a comment.Mar 19 2019, 4:05 PM

Change 497532 merged by jenkins-bot:
[operations/software/acme-chief@debian] debian: Add release 0.13 to changelog

https://gerrit.wikimedia.org/r/497532

Stashbot mentioned this in T218685: acme-chief creates absolute symlinks for "live" and relative for "new" on certificate renewal.Mar 19 2019, 4:45 PM
Stashbot subscribed.

Mentioned in SAL (#wikimedia-operations) [2019-03-19T16:45:15Z] <vgutierrez> uploaded acme-chief 0.14 to apt.wikimedia.org (buster) - T218685 T218418 T207295

Stashbot mentioned this in T207295: Expose not-yet-live certs to clients so they can handle OCSP stapling.Mar 19 2019, 4:45 PM
Krenair closed this task as Resolved.Mar 19 2019, 10:27 PM
Krenair mentioned this in rOSAC0d475f6bf62f: acme-chief: Ensure that the CN is part of the SNI list for certs config.Mar 21 2019, 12:29 AM
Krenair mentioned this in rOSAC4d64bfb16dc3: Release 0.13.
Krenair mentioned this in rOSAC1910c0e957ef: debian: Add release 0.13 to changelog.
Vgutierrez mentioned this in rOSAC509944d54d3c: Release 0.13.Mar 21 2019, 12:29 AM
Krenair mentioned this in rOSAC29b55967fe2c: Release 0.13.Mar 21 2019, 12:29 AM
Krenair mentioned this in rOSACa6aeca087dfb: Release 0.13.
Krenair mentioned this in rOSACe9e1e71c687a: Release 0.13.
Krenair mentioned this in rOSAC32ef6ee66632: Release 0.12.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits