We are using a web server in a docker container. At the moment our public private key is working fine. The problem we have is that our CAFile is not being included as an offered certificate when we test our site with https://www.ssllabs.com/. After reviewing solutions, I attempted to add the certification to a caCertPool and added it to the configutation. Even after doing that, SSL Labs still says it does not see it and we still get a B Score. Here is a code snippet of what I am attempting without luck so far.
certs, err := newStaticCerts(&static.Config{UseStaticFiles: cfg.IsProduction, FallbackToDisk: true, AbsPkgPath: getMessagePath()})
if err != nil {
log.WithFields(log.F("error", err)).Fatal("Issue initializing static certs")
}
httpKey, err := certs.ReadFile("/certs/website.com.key")
if err != nil {
log.WithFields(log.F("error", err)).Fatal("Issue loading tls key")
}
httpPem, err := certs.ReadFile("/certs/website.com.pem")
if err != nil {
log.WithFields(log.F("error", err)).Fatal("Issue loading tls pem")
}
caFilePem, err := certs.ReadFile("/certs/CAFile.pem")
if log.CheckErr(err, "Issue loading CAFile pem") {
return
}
// Load client cert
cert, err := tls.X509KeyPair(httpPem, httpKey)
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caFilePem)
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
//server := &http.Server{Addr: ":" + strconv.Itoa(cfg.AppPort), Handler: p.Serve(), TLSConfig: tlsConfig}
srv := &http.Server{
Addr: ":" + strconv.Itoa(cfg.AppPort),
Handler: p.Serve(),
TLSConfig: tlsConfig,
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
}
err = kmshttp.RunServer(srv)
if log.CheckErr(err, "shutting down server") {
return
}
The problem is when we check our Certification Paths, our RSA CA is an "Extra download" and not included on our site.
From the tls.Config documentation:
Certificates contains one or more certificate chains to present to the other side of the connection.
[...]
RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.
The RootCAs field does nothing for servers. You only need to set the complete certificate chain in the Certificates field (excluding the root CA; that wouldn't technically break anything but waste bandwidth).
You haven't shown what certs.ReadFile does, but you only need to ensure that it returns the PEM encoded leaf certificate and the intermediate(s) (i.e. the one that's an "extra download"), concatenated in that order. tls.X509KeyPair builds the chain automatically.