Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: cannot import root certificate from mkcert #2092

Open
userid0x0 opened this issue Dec 6, 2024 · 3 comments
Open

[Bug]: cannot import root certificate from mkcert #2092

userid0x0 opened this issue Dec 6, 2024 · 3 comments
Assignees
Labels
bug needs triage Waiting for discussion / prioritization by team

Comments

@userid0x0
Copy link

Steps to Reproduce

https://github.com/userid0x0/step-ca-mkcert-problem

Your Environment

  • OS - Linux using Docker
  • step-ca Version
        "Id": "sha256:9c6a2d85468e45cd6c44bf39241a1781230b259954644d34c724cce948747b84",
        "RepoTags": [
            "smallstep/step-ca:latest"
        ],
        "RepoDigests": [
            "smallstep/step-ca@sha256:a8308bddba866f5fccb2740c8bb2e5dea8cdde4b5856058539a7f5170894a9c0"
        ],
        "Parent": "",
        "Comment": "buildkit.dockerfile.v0",
        "Created": "2024-11-20T20:05:39.162646425Z"

Expected Behavior

Step-Ca can import a root certificate from mkcert.

Actual Behavior

Error message tls: failed to verify certificate: x509: too many intermediates for path length constraint on Traefik & Step-CA side.

Additional Context

If I skip the --root & --key parameters to import the existing certificate step-ca works as expected.
Of course it generates a new root certificate.

Contributing

No response

@userid0x0 userid0x0 added bug needs triage Waiting for discussion / prioritization by team labels Dec 6, 2024
@hslatman
Copy link
Member

hslatman commented Dec 9, 2024

Hey @userid0x0,

It looks like mkcert will always create a root certificate with a max path length of zero, with it being enforced as zero (MaxPathLenZero): https://github.com/FiloSottile/mkcert/blob/master/cert.go#L327-L348. This means that the root that is created by mkcert is not suitable for a PKI that involves an additional intermediate, which is what step-ca uses by default.

The error you're seeing is the result of certificate path validation (correctly) determining that the chain is not valid: if you create an intermediate CA from a root CA that has a maximum path length set of 0, then the chain is invalid. Generally path validation is done by TLS clients, although servers can do parts of it to in order to prevent potential misconfigurations. In this case the fact that the CA doesn't work with the mkcert root is not the actual bug, but I can understand you conclusion, and I think we could improve a bit by adding a check that the CA has a valid chain to start with. We should either prevent the CA from starting using an invalid chain, don't allow an invalid configuration to be created in the first place, or a combination of both.

If you really want to use the mkcert generated root, a potential workaround would be to first generate a new step-ca configuration, including a new root and intermediate, and to then replace both the root and intermediate with your mkcert certificate and key. Note that this is not a fully supported operation mode, and it would require the mkcert root certificate and key to be always available when the CA is running (i.e. "online"; generally step-ca has an "offline" root).

@hslatman hslatman self-assigned this Dec 9, 2024
@userid0x0
Copy link
Author

Hi @hslatman ,
thank you very much for the detailed answer. For me (a non openssl expert) it was the easiest to enable TLS in my homelab using mkcert. For that reason I tried to reuse my mkcert root CA.

Feel free to close the issue - I will mark my Github example as 'non working'/'wrong' just to be sure nobody tries to reproduce it.

@hslatman
Copy link
Member

I'll keep it open for a bit, because I'd like to add some additional guard rails to our CA initialization and/or startup process so that this case surfaces earlier in the process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug needs triage Waiting for discussion / prioritization by team
Projects
None yet
Development

No branches or pull requests

2 participants