Develop - FixLetEncryptCertChain-import #3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ode it. X1, self-signed.
…hain). This was originally start and stop step. Keep in mind we're updating a live certificate store, so it's possibly to go back to stop-start if needed in the future.
Steps can be reverted individually if required in seperate commits in feature branch.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For your review. 😄
The main strategy is importing a certficate chain once with keytool and therefore not needing any other individual certificate inside the key store.
Take note that the root certificate is also replaced by the ISRG Root X1 certifcate of LetsEncrypt. Since it is the root cert, it is self-signed.
Obviously you may want to need to work your magic to implement a solution that is not hardcoded.
Though before you dive into that, maybe it is worth to ponder if we truly want to terminate ssl at this machine, or maybe place Cloudflare in between and have private SSL relation between cloudflare and the server. Penny for your thoughts on that one.
In this solution the server provides visting clients with a certificate chain and not "a leaf", or an individual cert. Therefore clients to do not have to rebuild the chain themselves blindly, preventing them from taking "a wrong turn" when different chains exist. (I do wonder, why clients dont try the other chain when one fails.)
Correct me if I'm wrong. Feedback is welcome.
//JJ tags just so you can easily see what I touched when inside the file. Obviously you can remove them after you have validated the changes will do no unintentional harm.