Send complete certificate chain, not just the leaf cert

brandond · brandond · commit 06e0441ca2d8 · 2022-05-11T12:50:39.000-07:00
Signed-off-by: Brad Davidson &lt;brad.davidson@rancher.com&gt;
diff --git a/factory/ca.go b/factory/ca.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"time"
 
 	"github.com/rancher/dynamiclistener/cert"
 )
@@ -16,7 +17,7 @@ func GenCA() (*x509.Certificate, crypto.Signer, error) {
 		return nil, nil, err
 	}
 
-	caCert, err := NewSelfSignedCACert(caKey, "dynamiclistener-ca", "dynamiclistener-org")
+	caCert, err := NewSelfSignedCACert(caKey, fmt.Sprintf("dynamiclistener-ca@%d", time.Now().Unix()), "dynamiclistener-org")
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/factory/gen.go b/factory/gen.go
@@ -171,7 +171,7 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
 		return nil, false, err
 	}
 
-	certBytes, keyBytes, err := Marshal(newCert, privateKey)
+	keyBytes, certBytes, err := MarshalChain(privateKey, newCert, t.CACert)
 	if err != nil {
 		return nil, false, err
 	}
@@ -250,14 +250,33 @@ func getPrivateKey(secret *v1.Secret) (crypto.Signer, error) {
 	return NewPrivateKey()
 }
 
+// MarshalChain returns given key and certificates as byte slices.
+func MarshalChain(privateKey crypto.Signer, certs ...*x509.Certificate) (keyBytes, certChainBytes []byte, err error) {
+	keyBytes, err = cert.MarshalPrivateKeyToPEM(privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for _, cert := range certs {
+		if cert != nil {
+			certBlock := pem.Block{
+				Type:  CertificateBlockType,
+				Bytes: cert.Raw,
+			}
+			certChainBytes = append(certChainBytes, pem.EncodeToMemory(&certBlock)...)
+		}
+	}
+	return keyBytes, certChainBytes, nil
+}
+
 // Marshal returns the given cert and key as byte slices.
-func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) ([]byte, []byte, error) {
+func Marshal(x509Cert *x509.Certificate, privateKey crypto.Signer) (certBytes, keyBytes []byte, err error) {
 	certBlock := pem.Block{
 		Type:  CertificateBlockType,
 		Bytes: x509Cert.Raw,
 	}
 
-	keyBytes, err := cert.MarshalPrivateKeyToPEM(privateKey)
+	keyBytes, err = cert.MarshalPrivateKeyToPEM(privateKey)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/storage/kubernetes/ca.go b/storage/kubernetes/ca.go
@@ -56,7 +56,7 @@ func createAndStoreClientCert(secrets v1controller.SecretClient, namespace strin
 		return nil, err
 	}
 
-	certPem, keyPem, err := factory.Marshal(cert, key)
+	keyPem, certPem, err := factory.MarshalChain(key, cert, caCert)
 	if err != nil {
 		return nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ import (`
`6`	`6`	`"fmt"`
`7`	`7`	`"io/ioutil"`
`8`	`8`	`"os"`
	`9`	`+ "time"`
`9`	`10`
`10`	`11`	`"github.com/rancher/dynamiclistener/cert"`
`11`	`12`	`)`
`@@ -16,7 +17,7 @@ func GenCA() (*x509.Certificate, crypto.Signer, error) {`
`16`	`17`	`return nil, nil, err`
`17`	`18`	`}`
`18`	`19`
`19`		`- caCert, err := NewSelfSignedCACert(caKey, "dynamiclistener-ca", "dynamiclistener-org")`
	`20`	`+ caCert, err := NewSelfSignedCACert(caKey, fmt.Sprintf("dynamiclistener-ca@%d", time.Now().Unix()), "dynamiclistener-org")`
`20`	`21`	`if err != nil {`
`21`	`22`	`return nil, nil, err`
`22`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ func createAndStoreClientCert(secrets v1controller.SecretClient, namespace strin`
`56`	`56`	`return nil, err`
`57`	`57`	`}`
`58`	`58`
`59`		`- certPem, keyPem, err := factory.Marshal(cert, key)`
	`59`	`+ keyPem, certPem, err := factory.MarshalChain(key, cert, caCert)`
`60`	`60`	`if err != nil {`
`61`	`61`	`return nil, err`
`62`	`62`	`}`