Comments (4)
I think this is correct. To find out if the current certificate (LAB Issuing ACME CA) has been revoked, we need to check with the certificate issuer, being the LAB Root CA.
In the leaf certificates the CRL of the LAB Issuing ACME CA is present because that is where we can check if a leaf certificate was revoked.
from labca.
@hakwerk That makes sense, I forgot that the issuing CA would have it's CRL be the root CA.
As a side note, how could LabCA handle the root CA CRL if the changes in #53 (option 1 - root CA upload) were implemented? I would think the user could have an option to upload the root CA CRL into LabCA to be served (manual process).
from labca.
@hakwerk It looks like a test leaf certificate has a nonexistent URL for the Issuing CA CRL.
user@acme:~$ sudo certbot certonly --manual --preferred-challenge dns --domain testdomain.lab.local --server https://acme.lab.local/directory --register-unsafely-without-email
user@acme:~$ sudo openssl x509 -in /etc/letsencrypt/live/testdomain.lab.local/cert.pem -text | grep crl
URI:http://acme.lab.local/crl/40095325498633400.crl
user@acme:~$ curl http://acme.lab.local/crl/40095325498633400.crl
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
root@acme:~# docker exec -it 6288d35a7f2b bash
root@6288d35a7f2b:/labca# ls -l /var/www/html/crl
total 12
-rw-r--r-- 1 root root 361 Feb 18 07:42 40095325498633401-1676706131489947433-0.crl
-rw-r--r-- 1 root root 361 Feb 19 01:02 40095325498633401-1676768520000471541-0.crl
lrwxrwxrwx 1 root root 43 Feb 19 01:02 40095325498633401.crl -> 40095325498633401-1676768520000471541-0.crl
-rw-r--r-- 1 root root 983 Feb 18 07:39 root-ca.crl
The Issuing CA CRL also does not appear to be updating the 01 CRL.
user@acme:~$ sudo certbot revoke --cert-path /etc/letsencrypt/live/testdomain.lab.local/cert.pem --server https://acme.lab.local/directory --register-unsafely-without-email
user@acme:~$ wget http://acme.lab.local/crl/40095325498633401.crl
user@acme:~$ openssl crl -inform DER -text -noout -in 40095325498633401.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = LAB, CN = LAB Intermediate ACME CA
Last Update: Feb 19 01:02:00 2023 GMT
Next Update: Feb 23 01:01:59 2023 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:EC:6E:39:FA:D8:91:15:B7:AC:84:32:3F:E6:D1:2D:E2:EC:F3:5F:D7
X509v3 CRL Number:
1676768520000471541
X509v3 Issuing Distribution Point: critical
Full Name:
URI:http://acme.lab.local/crl/40095325498633401.crl
Only User Certificates
No Revoked Certificates.
from labca.
The CRLs are generated by the Let's Encrypt boulder engine on regular intervals, not on demand after a cert is revoked. Currently I have set this in LabCA to every 24 hours. You can change this with the updatePeriod
setting in the /home/labca/boulder_labca/config/crl-updater.json
file. You need a docker restart boulder-boulder-1
for the change to take effect.
You can also trigger generating the CRL on demand with this command:
docker exec -it boulder-boulder-1 ./bin/boulder crl-updater --config labca/config/crl-updater.json -runOnce -debug-addr :18021
I've not been able to reproduce that 00/01 issue in the CRL name. It is also very unexpected to be off by one as the value is based on the SHA1 hash of the issuer certificate subject.
how could LabCA handle the root CA CRL if the changes in #53 (option 1 - root CA upload) were implemented?
That is just one of several issues why #53 is not easy to implement. It is not just a GUI change but also affects several other processes in the system. I don't expect to implement #53 anytime soon.
from labca.
Related Issues (20)
- Error renewing certificate HOT 2
- DNS Domain , CAA Record - Guidance HOT 3
- Error when testing email HOT 4
- reduce clone time with --depth option in installer. HOT 1
- [renew] - Invalid hostname in redirect target, must end in IANA registered TLD HOT 2
- [Feature Request] Helm chart HOT 1
- Error in install last step when Signing certificate... HOT 1
- [DOCS] Probable improvement of the docs on probable errors with a specific use case HOT 2
- Rate limit hit after two requests HOT 1
- Permissions issue with boulder HOT 14
- non tld domains work? HOT 8
- [Feature Request] LabCA standalone Arm container image
- Cannot finalize the installation process - Response Code: 308 HOT 3
- Boulder container restarting - panic: opening hierarchy directory HOT 3
- `labca/entrypoint.sh` not found in `labca-boulder` provided from `ghcr.io/hakwerk/labca-boulder` HOT 1
- Add example on how to use LabCA with certbot HOT 2
- Revoking a certificate does not work HOT 6
- how to stop labca with root or other user HOT 1
- reverse proxy - Traefik HOT 2
- Possibility of creating multiple users for login
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from labca.