Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wildcard custom certificates cannot be used for modules configuration #7004

Open
nrauso opened this issue Sep 3, 2024 · 2 comments
Open

Wildcard custom certificates cannot be used for modules configuration #7004

nrauso opened this issue Sep 3, 2024 · 2 comments
Assignees
@DavidePrincipi
Labels
milestone goal 👑 This describes an announced milestone goal
Milestone
NethServer 8.4

Comments

@nrauso
Copy link

nrauso commented Sep 3, 2024
edited
Loading

It is not possible to use a third-party wildcard SSL certificate provided by an external authority for configuring modules in NS8. When you upload a third-party certificate, the UI automatically detects the FQDNs included in it. In the case of a wildcard certificate, this means that all FQDNs in the DNS namespace (e.g., *.mydomain.org) are recognized:
third_party_cert01

However, this "special name" cannot be applied to any of the modules you install on an NS8 node, and the TLS certificates UI does not offer a way to manage this configuration.
Additionally, the settings page for any NS8 module includes an option to manage an LE certificate but does not allow the management of third-party certificates:
third_party_cert02

In conclusion, there is no way to manage a third-party wildcard SSL certificate within NS8 (and as far as I know, 99% of third-party certificates purchased from external authorities are wildcard certificates!).

At the moment, the workaround is to manually insert the necessary DNS names along with the private key and certificate from the external authority into the redis database.

Components

core:2.9.1
traefik:2.2.3
@nrauso nrauso added the bug label Sep 3, 2024
@github-project-automation github-project-automation bot moved this to 🆕 New in NethServer Sep 3, 2024
@nrauso nrauso self-assigned this Sep 3, 2024
@NethServer NethServer deleted a comment Sep 3, 2024
@nrauso nrauso removed their assignment Oct 3, 2024
@Amygos
Copy link
Member

Amygos commented Oct 17, 2024

Uploading a custom wildcard certificate prevents all subdomains from obtaining Let's Encrypt (LE) certificates.

Example:

[root@server ~]# cat  /home/traefik1/.config/state/configs/certificate-example.domain.com.yml 
http:
  routers:
    certificate-example.domain.com:
      entrypoints: https
      service: ping@internal
      rule: Host(`example.domain.com`) && Path(`//8b38cb85-451a-4795-a706-4b544d9cfd36`)
      priority: '1'
      tls:
        domains:
        - main: example.domain.com
        certresolver: acmeServer

Running the command to list certificates with api-cli shows that the example.domain.com subdomain fails to obtain its certificate, while others succeed:

[root@server ~]# api-cli run module/traefik1/list-certificates -d '{"expand_list":true}' | jq
Warning: using user "cluster" credentials from the environment
[
  {
    "fqdn": "mail.service.domain.com",
    "type": "internal",
    "obtained": true
  },
  {
    "fqdn": "example.domain.com",
    "type": "internal",
    "obtained": false
  },
  ...
  {
    "fqdn": "*.domain.com",
    "type": "custom",
    "obtained": true
  }
]

Testing port 443 returns the wildcard certificate instead of obtaining an LE certificate:

[user@local ~]$ curl -v https://example.domain.com
...
* Server certificate:
*  subject: CN=*.domain.com
*  start date: May 21 00:00:00 2024 GMT
*  expire date: Jan 31 23:59:59 2025 GMT
*  subjectAltName: host "example.domain.com" matched cert's "*.domain.com"

Problem:

  • Traefik doesn't request an LE certificate for subdomains if a wildcard certificate is installed.
  • acme.json is not updated, and the event of obtaining a certificate is never triggered.
  • If a module does not use port 443, it cannot acquire the certificate automatically.

@DavidePrincipi DavidePrincipi added this to the NethServer M8.3 milestone Nov 7, 2024
@gsanchietti gsanchietti removed the bug label Nov 14, 2024
@DavidePrincipi DavidePrincipi added the milestone goal 👑 This describes an announced milestone goal label Dec 20, 2024
@scblakely
Copy link

scblakely commented Jan 15, 2025
edited
Loading

Modifying

ns8-mail/imageroot/bin/install-certificate

as follows allows a wildcard certificate to be installed into ns8-mail:

Replace

redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem

if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
    echo "[WARNING] ${service_image} certificate for ${MAIL_HOSTNAME} not found" 1>&2
    exit 2
fi

with the following code:

# In the first instance, look for a wildcard domain certificate

domain=`echo ${MAIL_HOSTNAME} | sed -n 's/[^.]*\.//p'`
wildcard="*.${domain}"

redis-exec HGET "module/${mtraefik}/certificate/${wildcard}" key | base64 -d > server.key
redis-exec HGET "module/${mtraefik}/certificate/${wildcard}" cert | base64 -d > server.pem
if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
    # look for the MAIL_HOSTNAME certificate
    echo "[INFO] ${service_image} wildcard certificate for ${domain} not found" 1>&2
    redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" key | base64 -d > server.key
    redis-exec HGET "module/${mtraefik}/certificate/${MAIL_HOSTNAME}" cert | base64 -d > server.pem
fi

# Do we have a valid certificate to install?
if [[ $(head -c 5 server.key) != '-----' || $(head -c 5 server.pem) != '-----' ]]; then
    echo "[WARNING] ${service_image} certificate for ${MAIL_HOSTNAME} not found" 1>&2
    exit 2
fi

This checks for a wildcard certificate to install and installs it before looking for the $MAIL_HOSTNAME certificate.

@DavidePrincipi DavidePrincipi self-assigned this Jan 21, 2025
@DavidePrincipi DavidePrincipi moved this from ToDo to In Progress in NethServer Jan 21, 2025
This was referenced Feb 7, 2025
Merged
Merged
DavidePrincipi added a commit to NethServer/ns8-traefik that referenced this issue Feb 10, 2025
@DavidePrincipi
Merge pull request #73 from NethServer/feat-7158-2
a389b68 
feat: verify chain of uploaded certificate

Refs NethServer/dev#7004
DavidePrincipi added a commit to NethServer/ns8-traefik that referenced this issue Feb 17, 2025
@DavidePrincipi
Merge branch 'feat-7158'
6484605 
Refs
- NethServer/dev#7158
- NethServer/dev#7004
- NethServer/dev#7305
- NethServer/dev#6987
- NethServer/dev#7300
- NethServer/dev#7312
@DavidePrincipi DavidePrincipi mentioned this issue Feb 21, 2025
Merged
DavidePrincipi added a commit to NethServer/ns8-traefik that referenced this issue Feb 24, 2025
@DavidePrincipi
Merge pull request #83 from NethServer/feat-7004-1
80e4f21 
feat(certs): capture ACME error message

Refs NethServer/dev#7004
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DavidePrincipi DavidePrincipi

Labels
milestone goal 👑 This describes an announced milestone goal
Projects
NethServer
Status: In Progress
Milestone
NethServer 8.4
Development

No branches or pull requests
5 participants
@Amygos @gsanchietti @DavidePrincipi @scblakely @nrauso