Merge branch 'sh-fix-letsencrypt-pages' into 'master'

Fix auto-renew of LetsEncrypt domains for Pages

See merge request gitlab-org/gitlab!71697

app/models/pages_domain.rb

@@ -129,18 +129,15 @@ class PagesDomain < ApplicationRecord
     store = OpenSSL::X509::Store.new
     store.set_default_paths
 
-    # This forces to load all intermediate certificates stored in `certificate`
-    Tempfile.open('certificate_chain') do |f|
-      f.write(certificate)
-      f.flush
-      store.add_file(f.path)
-    end
-
-    store.verify(x509)
+    store.verify(x509, untrusted_ca_certs_bundle)
   rescue OpenSSL::X509::StoreError
     false
   end
 
+  def untrusted_ca_certs_bundle
+    ::Gitlab::X509::Certificate.load_ca_certs_bundle(certificate)
+  end
+
   def expired?
     return false unless x509
 

lib/gitlab/email/hook/smime_signature_interceptor.rb

@@ -22,7 +22,7 @@ module Gitlab
           private
 
           def certificate
-            @certificate ||= Gitlab::Email::Smime::Certificate.from_files(key_path, cert_path, ca_certs_path)
+            @certificate ||= Gitlab::X509::Certificate.from_files(key_path, cert_path, ca_certs_path)
           end
 
           def key_path

lib/gitlab/email/smime/certificate.rb

-# frozen_string_literal: true
-
-module Gitlab
-  module Email
-    module Smime
-      class Certificate
-        CERT_REGEX = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze
-
-        attr_reader :key, :cert, :ca_certs
-
-        def key_string
-          key.to_s
-        end
-
-        def cert_string
-          cert.to_pem
-        end
-
-        def ca_certs_string
-          ca_certs.map(&:to_pem).join('\n') unless ca_certs.blank?
-        end
-
-        def self.from_strings(key_string, cert_string, ca_certs_string = nil)
-          key = OpenSSL::PKey::RSA.new(key_string)
-          cert = OpenSSL::X509::Certificate.new(cert_string)
-          ca_certs = load_ca_certs_bundle(ca_certs_string)
-
-          new(key, cert, ca_certs)
-        end
-
-        def self.from_files(key_path, cert_path, ca_certs_path = nil)
-          ca_certs_string = File.read(ca_certs_path) if ca_certs_path
-
-          from_strings(File.read(key_path), File.read(cert_path), ca_certs_string)
-        end
-
-        # Returns an array of OpenSSL::X509::Certificate objects, empty array if none found
-        #
-        # Ruby OpenSSL::X509::Certificate.new will only load the first
-        # certificate if a bundle is presented, this allows to parse multiple certs
-        # in the same file
-        def self.load_ca_certs_bundle(ca_certs_string)
-          return [] unless ca_certs_string
-
-          ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string|
-            OpenSSL::X509::Certificate.new(ca_cert_string)
-          end
-        end
-
-        def initialize(key, cert, ca_certs = nil)
-          @key = key
-          @cert = cert
-          @ca_certs = ca_certs
-        end
-      end
-    end
-  end
-end

lib/gitlab/x509/certificate.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module X509
+    class Certificate
+      CERT_REGEX = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze
+
+      attr_reader :key, :cert, :ca_certs
+
+      def key_string
+        key.to_s
+      end
+
+      def cert_string
+        cert.to_pem
+      end
+
+      def ca_certs_string
+        ca_certs.map(&:to_pem).join('\n') unless ca_certs.blank?
+      end
+
+      def self.from_strings(key_string, cert_string, ca_certs_string = nil)
+        key = OpenSSL::PKey::RSA.new(key_string)
+        cert = OpenSSL::X509::Certificate.new(cert_string)
+        ca_certs = load_ca_certs_bundle(ca_certs_string)
+
+        new(key, cert, ca_certs)
+      end
+
+      def self.from_files(key_path, cert_path, ca_certs_path = nil)
+        ca_certs_string = File.read(ca_certs_path) if ca_certs_path
+
+        from_strings(File.read(key_path), File.read(cert_path), ca_certs_string)
+      end
+
+      # Returns an array of OpenSSL::X509::Certificate objects, empty array if none found
+      #
+      # Ruby OpenSSL::X509::Certificate.new will only load the first
+      # certificate if a bundle is presented, this allows to parse multiple certs
+      # in the same file
+      def self.load_ca_certs_bundle(ca_certs_string)
+        return [] unless ca_certs_string
+
+        ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string|
+          OpenSSL::X509::Certificate.new(ca_cert_string)
+        end
+      end
+
+      def initialize(key, cert, ca_certs = nil)
+        @key = key
+        @cert = cert
+        @ca_certs = ca_certs
+      end
+    end
+  end
+end

spec/factories/pages_domains.rb

@@ -258,6 +258,18 @@ ZDXgrA==
       certificate_source { :gitlab_provided }
     end
 
+    # This contains:
+    # webdioxide.com
+    # Let's Encrypt R3
+    # ISRG Root X1 (issued by DST Root CA X3)
+    #
+    # DST Root CA X3 expired on 2021-09-30, but ISRG Root X1 should be trusted on most systems.
+    trait :letsencrypt_expired_x3_root do
+      certificate do
+        File.read(Rails.root.join('spec/fixtures/ssl', 'letsencrypt_expired_x3.pem'))
+      end
+    end
+
     trait :explicit_ecdsa do
       certificate do
         '-----BEGIN CERTIFICATE-----

spec/factories_spec.rb

@@ -29,6 +29,7 @@ RSpec.describe 'factories' do
       [:pages_domain, :with_trusted_chain],
       [:pages_domain, :with_trusted_expired_chain],
       [:pages_domain, :explicit_ecdsa],
+      [:pages_domain, :letsencrypt_expired_x3_root],
       [:project_member, :blocked],
       [:remote_mirror, :ssh],
       [:user_preference, :only_comments],

spec/fixtures/ssl/letsencrypt_expired_x3.pem

+-----BEGIN CERTIFICATE-----
+MIIGJDCCBQygAwIBAgISBOSAE/WwQGsTbDJI1vDL9+eKMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yMTEwMDEyMjIxMTlaFw0yMTEyMzAyMjIxMThaMBkxFzAVBgNVBAMT
+DndlYmRpb3hpZGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+wf/TpE5AjzoLXMFQ+WHle7Dn5rlEe0bPee2JU386cZmMYnGFS5DR251FerSX28U4
+pqk2yS8oefHGi2PS6h8/MWxr+Zy/6hk3WkgwdIK3uPiUcfCdPV/btXDd4YqikEDm
+BoOE4fQlqKQwtLOnhEZu9y8FQoxxoQ+7DndHrDixDoMbpUloxpqUZwziQnH4QHXE
+32rQhq25+NUK/lVFGKOFnmZ2s/yUildKafqulHrLHOhumKMOEivzlFDZbtqP+RKt
+nsrJ3i9O+nSQz6j5dv3Du6eaResrtK7tT1MFDNhcg2cgjNW64VLXQdFXYXE1OYsw
+yAuXUnHNzWFhinyf80qeh2046YR21dlG8voIDQH4fGG5GmWLyu7glsWYVwQQ36VA
+TTxPmAoaqUTl8A7cnlJpAo+BJ00mS/9DwJ7pkgGC7dYOhJzWlI7lPqzEfmJ+o8pj
+CJlLIuqsn0vcCZQlmqCFMxK4asn+puLLnMjRLHIYEJKDNyPGHQEr2e5t4GUYZKaN
+MEpXMwJd97tUamUKWeBPNIND/kOuqexe+okbOTRp34VAsK5oCpawEJckoNkK+sv0
+OrSWFOdfLBHv66p9qsrz8LQXxmN5JUBUe51SBSUo1Ul4/vGYdhuKd/8KcLw9/Al+
+HJN2hAeo3v+2fVey4hgGna7XNe8e3+E+OEQb4zpQDLkCAwEAAaOCAkswggJHMA4G
+A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
+VR0TAQH/BAIwADAdBgNVHQ4EFgQU4PbvqCKatjx6GZMXy7v9GwykZq4wHwYDVR0j
+BBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsG
+AQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
+Ly9yMy5pLmxlbmNyLm9yZy8wGQYDVR0RBBIwEIIOd2ViZGlveGlkZS5jb20wTAYD
+VR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYa
+aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEGBgorBgEEAdZ5AgQCBIH3BIH0
+APIAdwBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXw+KYGHAAAE
+AwBIMEYCIQCqD6jMtHrGlE02Qh1FzFd4+qYzJTrChHmHBFIncPGQKAIhALeYk0Vf
+/Lw2tX2beVlKN4/h1o8srNJv+06xkr1N6XmiAHcAfT7y+I//iFVoJMLAyp5SiXkr
+xQ54CX8uapdomX4i8NcAAAF8PimBogAABAMASDBGAiEA0h883FFj1dSYKGym9+Wa
+XgJRj526X7YlkhkZ5J1TjioCIQDyjMPrbo5liVi/e5b8gfDw5Fd9WNiTu1W1LKKu
+UpE/qTANBgkqhkiG9w0BAQsFAAOCAQEAcx10nqp1kh2awwoqwf7Jo8Gycqx2bA2O
+E2rveQ/BK9UhwvrNeEpE9SG6liMsYJKxGar0vbbBHvxzuMU00bhGjXFtUT5XuQ8q
+FcU0OdycyZj8fjZmUNsJr82l8HvfJ50jfxFORTgj8Ln5MWVUFlbl0nD+06l28sDc
+V+r/B4394fkoMsKXtiTA4/ZeOD1tHNsdxQ7sNQtEfqCG0wFCYHK3rs7XTZ1K0F3c
+M051JShko1UKP/k5blrendOwVRwLtq+9pavGnJBeqNIVgugTER/IHlp4427WyhdY
+KYjKoytW+XQyWqxU/Mh/O4rxkD8cZaE+FdZpP67VZ185AuZMbn+LcQ==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----

spec/lib/gitlab/email/hook/smime_signature_interceptor_spec.rb

@@ -14,15 +14,15 @@ RSpec.describe Gitlab::Email::Hook::SmimeSignatureInterceptor do
   end
 
   let(:root_certificate) do
-    Gitlab::Email::Smime::Certificate.new(@root_ca[:key], @root_ca[:cert])
+    Gitlab::X509::Certificate.new(@root_ca[:key], @root_ca[:cert])
   end
 
   let(:intermediate_certificate) do
-    Gitlab::Email::Smime::Certificate.new(@intermediate_ca[:key], @intermediate_ca[:cert])
+    Gitlab::X509::Certificate.new(@intermediate_ca[:key], @intermediate_ca[:cert])
   end
 
   let(:certificate) do
-    Gitlab::Email::Smime::Certificate.new(@cert[:key], @cert[:cert], [intermediate_certificate.cert])
+    Gitlab::X509::Certificate.new(@cert[:key], @cert[:cert], [intermediate_certificate.cert])
   end
 
   let(:mail_body) { "signed hello with Unicode €áø and\r\n newlines\r\n" }
@@ -36,7 +36,7 @@ RSpec.describe Gitlab::Email::Hook::SmimeSignatureInterceptor do
   end
 
   before do
-    allow(Gitlab::Email::Smime::Certificate).to receive_messages(from_files: certificate)
+    allow(Gitlab::X509::Certificate).to receive_messages(from_files: certificate)
 
     Mail.register_interceptor(described_class)
     mail.deliver_now

spec/lib/gitlab/email/smime/certificate_spec.rb → spec/lib/gitlab/x509/certificate_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Gitlab::Email::Smime::Certificate do
+RSpec.describe Gitlab::X509::Certificate do
   include SmimeHelper
 
   # cert generation is an expensive operation and they are used read-only,

spec/models/pages_domain_spec.rb

@@ -287,6 +287,19 @@ RSpec.describe PagesDomain do
 
       it { is_expected.to be_truthy }
     end
+
+    # The LetsEncrypt DST Root CA X3 expired on 2021-09-30, but the
+    # cross-sign in ISRG Root X1 enables it to function provided a chain
+    # of trust can be established with the system store. See:
+    #
+    # 1. https://community.letsencrypt.org/t/production-chain-changes/150739
+    # 2. https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
+    # 3. https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
+    context 'with a LetsEncrypt bundle with an expired DST Root CA X3' do
+      let(:domain) { build(:pages_domain, :letsencrypt_expired_x3_root) }
+
+      it { is_expected.to be_truthy }
+    end
   end
 
   describe '#expired?' do