Change Details

After implementing configuration to have a certificate from Let's Encrypt via ACME be requested, then using that certificate for the HTTPS server/API, we noticed the certificate chain is not presented, therefore causing clients to not trust it. ``` yzguy@prometheus:~# openssl s_client -connect router.dal1.routedbits.com:8443 CONNECTED(00000003) depth=0 CN = router.dal1.routedbits.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = router.dal1.routedbits.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = router.dal1.routedbits.com verify return:1 --- Certificate chain 0 s:CN = router.dal1.routedbits.com i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 31 19:03:42 2024 GMT; NotAfter: Apr 30 19:03:41 2024 GMT --- ``` The ACME support was originally added in https://github.com/vyos/vyos-1x/pull/2758, and looking at the code that was removed it referenced the `fullchain.pem` ``` ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem; ``` The new changes later reference only the `cert.pem` ``` tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem') ``` Ideally, one of two options 1. This is changed to read the `fullchain.pem` which loads the certificate+chain into PKI 2. Additional steps to load the chain certificates from `chain.pem` into PKI happen, likely have to read the file and load each certificate individually

After implementing configuration to have a certificate from Let's Encrypt via ACME be requested, then using that certificate for the HTTPS server/API, we noticed the certificate chain is not presented, therefore causing clients to not trust it. ``` pki { certificate LETS-ENCRYPT { acme { domain-name router.dal1.routedbits.com email <email> } } } service { https { certificates { certificate LETS-ENCRYPT } port 8443 } } ``` ``` yzguy@prometheus:~# openssl s_client -connect router.dal1.routedbits.com:8443 CONNECTED(00000003) depth=0 CN = router.dal1.routedbits.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = router.dal1.routedbits.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = router.dal1.routedbits.com verify return:1 --- Certificate chain 0 s:CN = router.dal1.routedbits.com i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 31 19:03:42 2024 GMT; NotAfter: Apr 30 19:03:41 2024 GMT --- ``` The ACME support was originally added in https://github.com/vyos/vyos-1x/pull/2758, and looking at the code that was removed it referenced the `fullchain.pem` ``` ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem; ``` The new changes later reference only the `cert.pem` ``` tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem') ``` Ideally, one of two options 1. This is changed to read the `fullchain.pem` which loads the certificate+chain into PKI 2. Additional steps to load the chain certificates from `chain.pem` into PKI happen, likely have to read the file and load each certificate individually

After implementing configuration to have a certificate from Let's Encrypt via ACME be requested, then using that certificate for the HTTPS server/API, we noticed the certificate chain is not presented, therefore causing clients to not trust it. ``` pki { certificate LETS-ENCRYPT { acme { domain-name router.dal1.routedbits.com email <email> } } } service { https { certificates { certificate LETS-ENCRYPT } port 8443 } } ``` ``` yzguy@prometheus:~# openssl s_client -connect router.dal1.routedbits.com:8443 CONNECTED(00000003) depth=0 CN = router.dal1.routedbits.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = router.dal1.routedbits.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = router.dal1.routedbits.com verify return:1 --- Certificate chain 0 s:CN = router.dal1.routedbits.com i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 31 19:03:42 2024 GMT; NotAfter: Apr 30 19:03:41 2024 GMT --- ``` The ACME support was originally added in https://github.com/vyos/vyos-1x/pull/2758, and looking at the code that was removed it referenced the `fullchain.pem` ``` ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem; ``` The new changes later reference only the `cert.pem` ``` tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem') ``` Ideally, one of two options 1. This is changed to read the `fullchain.pem` which loads the certificate+chain into PKI 2. Additional steps to load the chain certificates from `chain.pem` into PKI happen, likely have to read the file and load each certificate individually