From 4392e65f3f4e61682beb16f34d715bb87cc2c322 Mon Sep 17 00:00:00 2001 From: Adrian Heine Date: Sun, 4 Aug 2024 10:46:47 +0200 Subject: [PATCH] Don't handle ACME root certs They are volatile, and issued certs are already bundled nowadays. --- src/builder.rs | 32 +++++++------------------------- src/locator.rs | 16 +--------------- src/resources/mod.rs | 7 ------- src/symbols/acme/cert.rs | 11 ++++++----- static_files/lets_encrypt_r3.pem | 30 ------------------------------ 5 files changed, 14 insertions(+), 82 deletions(-) delete mode 100644 static_files/lets_encrypt_r3.pem diff --git a/src/builder.rs b/src/builder.rs index aa385bc..ef00da2 100644 --- a/src/builder.rs +++ b/src/builder.rs @@ -1,12 +1,11 @@ use crate::command_runner::{SetuidCommandRunner, StdCommandRunner}; use crate::resources::{ - AcmeAccountKey, AcmeChallengesDir, AcmeChallengesNginxSnippet, AcmeRootCert, AcmeUser, Cert, + AcmeAccountKey, AcmeChallengesDir, AcmeChallengesNginxSnippet, AcmeUser, Cert, CertChain, Cron, Csr, DefaultServer, Dir, File, GitCheckout, Key, KeyAndCertBundle, LoadedDirectory, MariaDbDatabase, MariaDbUser, NpmInstall, Owner, PhpFpmPool, PostgresqlDatabase, Resource, ServeCustom, ServePhp, ServeRedir, ServeService, ServeStatic, StoredDirectory, SystemdSocketService, User, UserForDomain, WordpressPlugin, WordpressTranslation, }; -use crate::static_files::LETS_ENCRYPT_R3; use crate::storage::SimpleStorage; use crate::storage::Storage; use crate::symbols::acme::Cert as CertSymbol; @@ -99,7 +98,6 @@ impl ImplementationBuilder> for DefaultBuilder { impl ImplementationBuilder> for DefaultBuilder { type Prerequisites = ( Csr, - AcmeRootCert, AcmeAccountKey, AcmeChallengesDir, AcmeUser, @@ -108,7 +106,6 @@ impl ImplementationBuilder> for DefaultBuilder { fn prerequisites(resource: &Cert) -> Self::Prerequisites { ( Csr(resource.0.clone()), - AcmeRootCert, AcmeAccountKey, AcmeChallengesDir, AcmeUser, @@ -121,12 +118,11 @@ impl ImplementationBuilder> for DefaultBuilder { fn create( resource: &Cert, target: & as Resource>::Artifact, - (csr, root_cert, account_key, challenges_dir, (user_name, _), _): ::Artifact, + (csr, account_key, challenges_dir, (user_name, _), _): ::Artifact, ) -> Self::Implementation { CertSymbol::new( resource.0.clone(), SetuidCommandRunner::new(user_name.0), - root_cert.clone_rc(), account_key.clone_rc(), challenges_dir.clone_rc(), csr.clone_rc(), @@ -136,18 +132,18 @@ impl ImplementationBuilder> for DefaultBuilder { } impl ImplementationBuilder> for DefaultBuilder { - type Prerequisites = (Cert, AcmeRootCert); + type Prerequisites = Cert; fn prerequisites(resource: &CertChain) -> Self::Prerequisites { - (Cert(resource.0.clone()), AcmeRootCert) + Cert(resource.0.clone()) } - type Implementation = ConcatSymbol<[Rc; 2], Rc, Rc>; + type Implementation = ConcatSymbol<[Rc; 1], Rc, Rc>; fn create( _resource: &CertChain, target: & as Resource>::Artifact, - (cert, root_cert): ::Artifact, + cert: ::Artifact, ) -> Self::Implementation { - ConcatSymbol::new([cert.clone_rc(), root_cert.clone_rc()], target.clone_rc()) + ConcatSymbol::new([cert.clone_rc()], target.clone_rc()) } } @@ -667,20 +663,6 @@ impl ImplementationBuilder for DefaultBuilder { } } -impl ImplementationBuilder for DefaultBuilder { - type Prerequisites = (); - fn prerequisites(_resource: &AcmeRootCert) -> Self::Prerequisites {} - - type Implementation = FileSymbol, &'static str>; - fn create( - _resource: &AcmeRootCert, - target: &::Artifact, - (): ::Artifact, - ) -> Self::Implementation { - FileSymbol::new(target.clone_rc(), LETS_ENCRYPT_R3) - } -} - impl ImplementationBuilder> for DefaultBuilder { type Prerequisites = (); fn prerequisites(_resource: &MariaDbUser) -> Self::Prerequisites {} diff --git a/src/locator.rs b/src/locator.rs index 01a6e41..a1b139e 100644 --- a/src/locator.rs +++ b/src/locator.rs @@ -3,7 +3,7 @@ use crate::artifacts::{ UserName as UserNameArtifact, }; use crate::resources::{ - AcmeAccountKey, AcmeChallengesDir, AcmeChallengesNginxSnippet, AcmeRootCert, AcmeUser, Cert, + AcmeAccountKey, AcmeChallengesDir, AcmeChallengesNginxSnippet, AcmeUser, Cert, CertChain, Cron, Csr, DefaultServer, Dir, File, GitCheckout, Key, KeyAndCertBundle, LoadedDirectory, MariaDbDatabase, MariaDbUser, NpmInstall, Owner, PhpFpmPool, PostgresqlDatabase, Resource, ServeCustom, ServePhp, ServeRedir, ServeService, ServeStatic, StoredDirectory, @@ -237,20 +237,6 @@ impl ResourceLocator for DefaultLocator

ResourceLocator for DefaultLocator

{ - type Prerequisites = Dir>; - fn locate( - _resource: &AcmeRootCert, - ) -> (::Artifact, Self::Prerequisites) { - let acme_user = P::acme_user(); - let home = P::user_home(acme_user); - ( - PathArtifact::from(home.join("lets_encrypt_r3.pem")), - Dir(home), - ) - } -} - impl> ResourceLocator> for DefaultLocator

{ type Prerequisites = (); fn locate( diff --git a/src/resources/mod.rs b/src/resources/mod.rs index 8c56a67..06daa5f 100644 --- a/src/resources/mod.rs +++ b/src/resources/mod.rs @@ -94,12 +94,6 @@ impl Resource for AcmeUser { type Artifact = (UserNameArtifact, PathArtifact); } -#[derive(Debug, Hash, PartialEq, Eq)] -pub struct AcmeRootCert; -impl Resource for AcmeRootCert { - type Artifact = PathArtifact; -} - #[derive(Debug, Hash, PartialEq, Eq)] pub struct AcmeChallengesDir; impl Resource for AcmeChallengesDir { @@ -348,7 +342,6 @@ default_resources!( AcmeAccountKey: AcmeAccountKey, AcmeChallengesDir: AcmeChallengesDir, AcmeChallengesNginxSnippet: AcmeChallengesNginxSnippet, - AcmeRootCert: AcmeRootCert, AcmeUser: AcmeUser, Cert: Cert, CertChain: CertChain, diff --git a/src/symbols/acme/cert.rs b/src/symbols/acme/cert.rs index 9055c85..955606b 100644 --- a/src/symbols/acme/cert.rs +++ b/src/symbols/acme/cert.rs @@ -12,7 +12,6 @@ use std::path::Path; pub struct Cert<_C, C, D, P> { domain: D, command_runner: C, - root_cert_path: P, account_key_path: P, challenges_path: P, csr_path: P, @@ -24,7 +23,6 @@ impl<_C, C, D, P> Cert<_C, C, D, P> { pub fn new( domain: D, command_runner: C, - root_cert_path: P, account_key_path: P, challenges_path: P, csr_path: P, @@ -33,7 +31,6 @@ impl<_C, C, D, P> Cert<_C, C, D, P> { Self { domain, command_runner, - root_cert_path, account_key_path, challenges_path, csr_path, @@ -84,8 +81,12 @@ impl<_C: CommandRunner, C: Borrow<_C>, D: AsRef, P: AsRef> Symbol for "openssl", args![ "verify", - "--untrusted", - self.root_cert_path.as_ref(), + // Since the cert file includes the intermediate, + // this pulls the intermediate into the verification chain + // without trusting it + "-untrusted", + self.cert_path.as_ref(), + // Only the first cert in the cert file is verified self.cert_path.as_ref(), ], ) diff --git a/static_files/lets_encrypt_r3.pem b/static_files/lets_encrypt_r3.pem deleted file mode 100644 index 43b222a..0000000 --- a/static_files/lets_encrypt_r3.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -nLRbwHOoq7hHwg== ------END CERTIFICATE-----