singleflight is used to deduplicate requests to issue a new certificate

Unfortunately the key used is a static string "issue" which if simultaneous requests come in for different common names that are not cached the wrong result may be returned.

Changing the key from the fixed string to the same key used for the cache (name in this context) would prevent the issue from occurring.

I haven't actually run into this issue myself (my usage of certify only ever has the one common name being issued) but stumbled across it while looking at the code for unrelated reasons so I thought I'd open a bug report rather than a trivial PR just in case I've misunderstood the logic being used.

Should've been included as part of #5 but forgot.

We're using dockertest at the moment, which doesn't support podman. Would be nice to be able to use either or.

Is your feature request related to a problem? Please describe.

When using the proxy there is no way to rotate the token without restarting the proxy with the updated configuration.

Describe the solution you'd like

The proxy to attempt to rotate the key when is it near expiry.

Additional context

Vault expiring tokens that are used to obtain access to the API.

Describe the bug
When reading the secret in the Vault issuer the line below may panic invalid memory address or nil pointer dereference:

This is due to a nil secret being received in the signCSR method:

Steps to reproduce the bug
Vault server that is sealed or having temporary network issues during read/write.

Expected behavior
Return error in this edge case and not raise a panic to the application.

http://bit.ly/bolt-for-github

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• Update module github.com/cloudflare/cfssl to v1.6.3
• Update module github.com/hashicorp/vault/api to v1.8.1
• Update module google.golang.org/grpc to v1.50.1
• Update module go to 1.19
• Update module golang.org/x/sync to v0.1.0

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Is your feature request related to a problem? Please describe.
When running in Kubernetes, services should be able to get certificates without an external service.

Describe the solution you'd like
When a "certificate get or create" called, with kubernetes client, tls secret will be queried or created if not exists.
The API and client is here:
https://github.com/kubernetes/client-go/blob/acc621f88da0907c3eee966001ea99bd59b0f92c/kubernetes/typed/core/v1/secret.go

Describe alternatives you've considered
Mesh networks (eg. Istio) allow mutual tls for services but it is too much hassle to do just mutual tls.

I would like to implement this, so I would like to create a pull request if you find it useful.

matryer/moq#84 was recently closed, we should update the version and try to generate without the GOPATH again.

Is your feature request related to a problem? Please describe.
Vault is a certified piece of software, and we should ensure that our issuer uses the same version on dependencies as the version of their API client that we're using does, to be as compliant as possible with their certification.

Describe the solution you'd like
Something like what is proposed in https://gophers.slack.com/archives/C9BMAAFFB/p1551785876101400, e.g. merge a temporarily created go.mod with our own to maintain the same version requirements.

See https://github.com/smallstep/certificates. Looks like it has a Go client.

Probably just in the Certify struct for now, since any errors seen in the issuers should be propagate to Certify. The interface must default to a noop implementation that can safely be called. Perhaps just use logrus as well.

Dogtag PKI is a CA developed by Red Hat. It has what looks like an XML REST API. It does not appear to have a Go API client, so we'd probably just write manual HTTP requests.

See https://github.com/dogtagpki/pki for more information.

Is your feature request related to a problem? Please describe.
With current setup users of the library need to pull dependencies for all issuers even though most of them will only use a single one.

Describe the solution you'd like
Create a submodule per issuer, then every user will only have to pull dependencies for the issuer they are using.

Additional context
This is quite simple to do I've done it in this fork https://github.com/utilitywarehouse/certify, I can make a PR if you want, but it's probably easier to set this up when you have access to the repo.
After switching to my fork with submodules I got the following change in go.sum file in a module that's using cfssl issuer https://gist.github.com/SpeedyCoder/1d9e6216cd5fc877ea4cb059faadc220
(I also bumped dependencies, but the point is the number of lines removed...)

Describe the bug

We have services that health check every 15 seconds, These result in a call to certify to get the service certificate. Whenever this happens there are 2 log messages written to debug output, one saying that certify is getting the certificate and one saying it is successful.

This fills the logs with certify entries getting in the way of seeing the real service logs

Steps to reproduce the bug

Use certify to provide a certificate, every call to certify.GetCertificate results in these log entries

Expected behavior

Log entries should only occur if a new certificate is being requested or if there is an error, default "happy path" behaviour should not result in these logs

What happened instead

Lots of log messages observed

Additional context

Hello and first of all thank you for the great project, it's definitely saving me a LOT of time when dealing with certificates with grpc!

I have a general question regarding how the TLS handshake behaves with certify: why does the grpc Server is requesting a new certificate with client common name as Subject Alternative Name?

server1_1      | time="2020-02-08T23:59:56Z" level=error msg="Error getting server certificate" error="Error making API request.\n\nURL: PUT http://vault:8200/v1/pki/sign/admin\nCode: 400. Errors:\n\n* subject alternate name agent01.example.com not allowed by this role"

Of course, that can be easily fixed by changing my admin role and allowing that domain. But I am not sure to get why does the client CN is getting propagated to the server CSR SAN?
Is it because of tls.RequireAndVerifyClientCert and a way of doing mutual authentication?

My piece of code, for the client and server:

	renewableToken := &certifyVault.RenewingToken{
		Initial:     key.VaultToken,
	}

	issuer := &certifyVault.Issuer{
		URL: &url.URL{
			Scheme: vaultURL.Scheme,
			Host:   vaultURL.Host,
		},
		Role:       "agent01",
		AuthMethod: renewableToken,
		TLSConfig: &tls.Config{RootCAs: client.CaCertPool, ServerName: "agent01.example.com"},
	}

	client.Certify = &certify.Certify{
		CommonName:  "agent01.example.com",
		Issuer:      issuer,
		Cache:       certify.NewMemCache(),
		Logger: logrusadapter.New(log.New()),
	}

	tlsConfig := &tls.Config{
		GetClientCertificate: client.Certify.GetClientCertificate,
		RootCAs: client.CaCertPool,
		ServerName: client.Host,
	}

	conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))

Ands server:

	renewableToken := &certifyVault.RenewingToken{
		Initial: s.VaultClient.Token(),
	}

	issuer := &certifyVault.Issuer{
		URL: &url.URL{
			Scheme: vaultURL.Scheme,
			Host:   vaultURL.Host,
		},
		TimeToLive: time.Hour,
		Role:  "admin",
		AuthMethod: renewableToken,
		TLSConfig: &tls.Config{RootCAs: s.CaCertPool, ServerName: "admin.example.com"},
	}

	s.Certify = &certify.Certify{
		CommonName: "admin.example.com",
		Issuer:      issuer,
		Cache:       certify.NewMemCache(),
		Logger: logrusadapter.New(log.New()),

	listener, _ := net.Listen("tcp", s.addr)

	tlsConfig := &tls.Config{
		GetCertificate: s.Certify.GetCertificate,
		RootCAs: s.CaCertPool,
		ServerName: "admin.example.com",
		ClientCAs: s.CaCertPool,
		ClientAuth:     tls.RequireAndVerifyClientCert,
	}

	gs := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsConfig)))
	gs.Serve(listener)

Thanks a lot!

This might not be possible, but would be good to investigate.

Good day,

I'm chasing down trying to upgrade my vault modules, and noticed that the v1.8.0 of this project uses the old module path, but has been fixed in c3673d8. May we have a release for this change please?

Cheers.

Any CA that supports CSR signing should allow us to configure our own key type and size, so we should expose this option to users.

See https://github.com/cloudflare/cfssl

Is your feature request related to a problem? Please describe.
We don't provide common names for some vault-issued certificates; we rely strictly on URI SANs. We would like to be able to use this library, but its assumption that a common name is defined is problematic in at least one respect that I am able to confirm -- the dir cache implementation breaks down a bit (because it does cacheDir + commonName + ".crt"). Looking through the source, it also seems to assume the presence of commonName at a few other points but I haven't hit any issues elsewhere personally -- our vault policy accepts an empty string common name happily enough.

Describe the solution you'd like
I wonder if we could:

• add the option for a "local" or maybe "logical" name for the certificate, which would take precedence over common name if specified and be used as a local unique identifier, when needed -- we would just set this to the URISAN.String().
• avoid adding empty string common names to lists, etc.

Describe alternatives you've considered
I've considered that my conclusion that a common name is optional is wrong -- but I can't find any evidence to the contrary. Given that, we don't want to use it, as going against a common name would go against our PKI's plan to use URI SANs as the canonical identifier.

I've also considered -- and prepared for -- the possibility that this is going to be simply viewed as out of scope for this project. Totally reasonable!

https://golang.org/doc/go1.15#commonname

I believe there will be updates necessary here to address this deprecation.

Describe the bug

When getting certificate with AWS as an issuer, it fails with:
tls: failed to find any PEM data in certificate input

Steps to reproduce the bug

    awsCfg, err := external.LoadDefaultAWSConfig()

	awsCfg.Region = endpoints.EuCentral1RegionID
	awsCfg.Credentials = awsSDK.NewStaticCredentialsProvider("one", "two", "")
	cli := acmpca.New(awsCfg)

	c := &certify.Certify{
		CommonName:  "my-microapp",
		Cache:       certify.NewMemCache(),
		RenewBefore: (366 * 24) * time.Hour,
		Logger:      certifyLogger{},
		Issuer: &aws.Issuer{
			Client:                  cli,
			CertificateAuthorityARN: "arn",
			TimeToLive:              365,
		},
		CertConfig: &certify.CertConfig{
			SubjectAlternativeNames: []string{
				"localhost",
				"cerberus",
			},
			IPSubjectAlternativeNames: []net.IP{
				net.ParseIP("127.0.0.1"),
				net.ParseIP("::1"),
			},
		},
	}

	cp := x509.NewCertPool()
	tlsConfig := &tls.Config{
		GetCertificate: c.GetCertificate,
		ClientCAs:      cp,
		ClientAuth:     tls.NoClientCert,
		ServerName:     "my-microapp",
	}

Expected behavior

Certificate is processed properly

What happened instead

Error of : tls: failed to find any PEM data in certificate input

Additional context

in github.com/johanbrandhorst/certify/issuers/aws/aws.go:136 it fails since
github.com/johanbrandhorst/certify/issuers/aws/aws.go:134 is combining two certificates resulting in

-----BEGIN CERTIFICATE-----
Base64OfCertificate==
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
Base64OfCertificate==
-----END CERTIFICATE-----

Had a quick look but couldn't find what Istio uses under the hood, but there are certs being issued so there should be an issuer somewhere!

I am using certify in a sub-project and use dep to manage my dependencies.

Steps to reproduce the bug

I am running dep ensure -update {sub-project}

Expected behavior

My vendor folder contains certify and the updated sub-project.

What happened instead

The vendor folder contains in addition to the expected files:

• protoc-gen-go
• gingko
• moq

Thank you for this project. It looks quite interesting for my personal use case, and integration with golang and grpc.

I've been troubleshooting my install this week, and I'm unsure if this is a vault configuration issue, or something that the issuer is doing incorrectly.

subject alternate name server.example.com not allowed by this role"

Note that the following configuration does not have server.example.com as the CN. Also note that I have verified that vault will indeed hand out certificates for the .local domain I'm showing below.

	cfg := certify.CertConfig{
		KeyGenerator: &myKeyGenerator{},
	}

	c := &certify.Certify{
		CommonName: "somethingelse.local",
		Issuer:     issuer,
		Cache:      certify.NewMemCache(),
		CertConfig: &cfg,
		RenewBefore: 24 * time.Hour,
		Logger:      logrusadapter.New(logger),
		IssueTimeout: 15 * time.Second,
	}

This leads me to want to know what the contents are of the CSR itself, so that I may confirm the behavior. Is there a way?

In any case, some documentation as to how to get this all working in a real environment where an ACL is necessary would be super handy. For example, I have the following policy:

path "pki/issue/*" {
  capabilities = ["create", "update"]
}

path "pki/sign/*" {
  capabilities = ["create", "update"]
}

path "pki/certs" {
  capabilities = ["list"]
}

path "pki/revoke" {
  capabilities = ["create", "update"]
}

path "pki/tidy" {
  capabilities = ["create", "update"]
}

path "pki/cert/ca" {
  capabilities = ["read"]
}

path "auth/token/renew" {
  capabilities = ["update"]
}

path "auth/token/renew-self" {
  capabilities = ["update"]
}

But I'm unsure if that is too much permission to accomplish the issuing of a new cert. I've kept log of everything I've done to get this far and can produce that if helpful.

In the above example, I'm unclear where the server.example.com SAN is being injected. Note that I'm using certificate authentication, and the CN of the certificate I use to authenticate to vault is indeed the one mentioned in the error above, but from reading the code, the token metadata is not in use, unless I overlooked where that might be hiding. If I understand the intent, the CN passed to certify is the only CN that should exist in the cert, and the above config has no SAN, so why is vault complaining?

Any thoughts or guidance here would be appreciated.

This means we can safely use HTTP connections as well as HTTPS.

This would make the certify proxy much more powerful and useful for non-go users.

Describe the bug
It looks like the certify go.mod is importing github.com/hashicorp/vault. From what I can tell it probably should be github.com/hashicorp/vault/api.

Vaults API is a little atypical in that it's under the same git repo, but there is a separate go.mod at that location. I suspect the impact of pointing to the wrong location is just that builds using certify would be slower as it would be pulling in the entire vault source tree rather than just the api (and the dependent github.com/hashicorp/vault/sdk) path.

https://aws.amazon.com/certificate-manager/private-certificate-authority/

The generate CI check was disabled with #25 because of issues surrounding moq. See matryer/moq#84 (comment) for more information.

This would allow users more control over the client creation.

EJBCA is a certificate authority written in Java. It has a docker image (https://hub.docker.com/r/primekey/ejbca-ce) which should make testing simple. It appears to have a HTTP JSON REST API: https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/protocols/ejbca-rest-interface.

After reviewing #70 it was concluded that something like https://github.com/spiffe/go-spiffe could be used to validate that the OtherSans settings are parsed correctly. It might allow us to remove the go-spiffe dependency altogether since the logic is very similar.

This repo is a good candidate for trying out go modules as it doesn't have a v1 yet. It is the way of the future so there's no good reason not to do it. Note current best practices on tool dependencies (for moq, protoc-gen-go, ginkgo): https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module

Background

Repo github.com/johanbrandhorst/certify depends on github.com/cloudflare/[email protected].

https://github.com/johanbrandhorst/certify/blob/master/go.mod#L8

However, comparing version v1.6.2 of github.com/cloudflare/cfssl from proxy.golang.org and github, there are inconsistencies.

commit time of the copy on github.com

"committer": {
      "name": "Nicky Semenza",
      "email": "[email protected]",
      "date": "2022-08-26T21:11:36Z"
    }

commit time of the copy on proxy.golang.org

{"Version":"v1.6.2","Time":"2022-08-24T17:57:20Z","Origin":{"VCS":"git","URL":"https://github.com/cloudflare/cfssl","Ref":"refs/tags/v1.6.2","Hash":"cacf1702e49e95c402b3b041a1689965e784dadd"}}

So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v1.6.2 tag of github.com/cloudflare/cfssl might have been retagged after a minor edition on github. I guess you use proxy.golang.org to get dependencies, but that also shows that your project is depending on the copy of github.com/cloudflare/[email protected] before its edition. Depending upon such inconsistent tag version may also result in some unexpected errors as well as build errors due to different proxy settings.

For example, when someone who does not use proxy.golang.org, say GOPROXY=direct, attempts to get github.com/cloudflare/[email protected], the following error occurs.

go: downloading github.com/cloudflare/cfssl v1.6.2
go: github.com/cloudflare/cfssl@v1.6.2: verifying module: checksum mismatch
        downloaded: h1:V7EcbVzttAkK3J7PmAxjf7wD7UpMtWSCI+Wl+mu87mw=
        sum.golang.org: h1:3T2oQHypP81rykPfkTxOCyJkRU3xQz5SySVahMpN5LE=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

So, this is a reminder in the hope that you can get rid of this problematic version of project github.com/cloudflare/cfssl.

Solution

1. Bump the version of dependency github.com/cloudflare/cfssl

I would recommend bumping the version of github.com/cloudflare/cfssl to a new release to ensure dependency copy in proxy.golang.org and github in sync.

References

• cloudflare/cfssl#1243
• https://proxy.golang.org/

We should really publish a docker container for the certify proxy.

Gitlab CI is great but the github integration is not. It should be fairly easy to migrate to CircleCI and include things like automatic release change logs.

Describe the bug

When trying to issue a certificate for a basic HTTPS web server, Certify connects to Vault fine, but when calling the /v1/pki/sign/rolename endpoint, Vault returns an error:

Error making API request.

URL: PUT https://localhost:8200/v1/pki/sign/example.com
Code: 400. Errors:

* role requires keys of type rsa

Steps to reproduce the bug

Request a certificate from Vault via the certify.GetCertificate hook in http.Server's TLSConfig.

Expected behavior

A certificate is returned and the request proceeds

Extra comments

This is admittedly a Vault API error, when running against Vault 1.11.0, but it seems weird that regardless of which key type is set in the Vault role, Certify's request is denied. Is this to do with Vault API changes?

Is your feature request related to a problem? Please describe.
In order to ease up DANE/TLSA implementations it would be nice to be able to keep the private key.

Describe the solution you'd like
Possibility to keep the private key and reuse it

Describe alternatives you've considered
Automate the process of creating a hash of the certificate, and the publish it to a supported DNS-provider

Is your feature request related to a problem? Please describe.
At the moment it is only possible to specify uri_sans and other_sans parameters to a Vault issuer. To use these features one must disable use_csr_sans in the Vault role, which means any DNS SANs in the CSR would be ignored.

Describe the solution you'd like
Add the ability for the Vault alt_names parameter to be configured as a part of the vault.Issuer struct similar to the existing URISubjectAlternativeNames and OtherSubjectAlternativeNames options. Note that the Vault alt_names parameter can be used for both DNS and Email names. For completeness it might be worth adding the ip_sans option at the same time which would fully round out the issuer to expose all underlying Vault options.

Describe alternatives you've considered
The obvious alternative is setting use_csr_sans to true in the Vault role and simply using the CertConfig to specify all SANs. The downside to this is this would require doing all access control in the PKI role (eg, one role per application) and being unable to use the otherwise powerful Vault policy configuration which allows specifying request arguments as a part of the Vault policy and can be more powerful.

Adding the options to the Vault issuer would still permit this option as existing behaviour would not change when those fields are not provided, but enables flexibility where required.

Additional context
https://www.vaultproject.io/api-docs/secret/pki/#sign-certificate

This is a repository-level issue that's causing a problem with our tooling.

This is output by the vscode static analysis tools as well as non-Go 1.11 module builds (within Gopath, with GO111MODULE=off/auto). The actual application builds on our CI because we use Go 1.11 modules for that. However, this breaks all intellisense features because every other issue is ignored and this is the only output:

cannot use caAuth (type *"github.com/cloudflare/cfssl/auth".Standard) as type "github.com/johanbrandhorst/certify/vendor/github.com/cloudflare/cfssl/auth".Provider in field value:
	*"github.com/cloudflare/cfssl/auth".Standard does not implement "github.com/johanbrandhorst/certify/vendor/github.com/cloudflare/cfssl/auth".Provider (wrong type for Verify method)
		have Verify(*"github.com/cloudflare/cfssl/auth".AuthenticatedRequest) bool
		want Verify(*"github.com/johanbrandhorst/certify/vendor/github.com/cloudflare/cfssl/auth".AuthenticatedRequest) bool

It's my understanding that vendor/ paths should not be used by library authors and only for end-user binaries.

Given that this project already specifies go.mod/go.sum for proper version management - it would make sense to simply remove the vendor directory to resolve these issues with vscode tooling. As right now, I think the only alternative is to run the static analysis tools manually and ignore vscode - which is pretty annoying!

Should be possible, but will need some research.

https://github.com/cloudflare/cfssl/releases/tag/v1.4.0

See https://app.circleci.com/pipelines/github/johanbrandhorst/certify/227/workflows/05949ce5-6248-496e-a7c5-e80381b66498/jobs/1030. Probably could just stop using moq tbh.

Describe the bug
in github.com/johanbrandhorst/certify/issuers/aws/aws.go:33 with the newest github.com/aws/aws-sdk-go-v2 compilator errors with

# github.com/johanbrandhorst/certify/issuers/aws
../../../../johanbrandhorst/certify/issuers/aws/aws.go:33:9: undefined: acmpcaiface.ACMPCAAPI

Steps to reproduce the bug

$ go get -u github.com/aws/aws-sdk-go-v2

Try to compile with AWS CM issuer

Expected behavior

Compilator does not fail

What happened instead

Fatal compilation error

Additional context