Implement public CRL with 10-minute cache, fix PKCS#12 export issues

[RequestForCoffee]

Fixes #44.

[keyctl]

@RequestForCoffee For some reason, aslweb* didn't have the shared directory mounted, so I wasn't able to test just now. But the nginx setup should work.

[Miro-H]

@RequestForCoffee For some reason, aslweb* didn't have the shared directory mounted, so I wasn't able to test just now. But the nginx setup should work.

Normal hosts never used a shared folder until now, why would you need one?

[Miro-H]

I'll soon add the code to install the intermediate certificate in the web servers root of trust. Just testing it works on a new instance.

[Miro-H]

I built a new env on this branch with my changes. After building the web and cert server from source, certificate issuing works out-of-the-box.

But I still see "The SSL Certificate Error" when I use the certificate to connect to the website.

[keyctl]

But I still see "The SSL Certificate Error" when I use the certificate to connect to the website.

Can you tell me if you can connect to http://aslweb01/crl/revoked.crl without being redirected to HTTPS? Also, does nginx complain?

[keyctl]

Normal hosts never used a shared folder until now, why would you need one?

Oh, well then I was confused about this. Thanks!

[Miro-H]

But I still see "The SSL Certificate Error" when I use the certificate to connect to the website.

Can you tell me if you can connect to http://aslweb01/crl/revoked.crl without being redirected to HTTPS? Also, does nginx complain?

I'm redirected to HTTPS

[keyctl]

I'm redirected to HTTPS

I rebuilt this from scratch and I'm not redirected to HTTPS. Are you sure this is the case? How did you access the file?

I've used curl -L http://aslans01/crl/revoked.crl, but the server gives an empty response with Content-Length: 0. I assume the CRL is empty at this point?

[keyctl]

It seems that HTTP/2 is not commonly supported without HTTPS, so I will remove that option for the CRL list. This may give better compatibility.

[keyctl]

But I still see "The SSL Certificate Error" when I use the certificate to connect to the website.

Could you re-test this with the updated configuration?

[Miro-H]

I'm redirected to HTTPS

I rebuilt this from scratch and I'm not redirected to HTTPS. Are you sure this is the case? How did you access the file?

I've used curl -L http://aslans01/crl/revoked.crl, but the server gives an empty response with Content-Length: 0. I assume the CRL is empty at this point?

I just accessed it directly in the browser

[keyctl]

I just accessed it directly in the browser

Then this was probably due to HSTS. Please use curl for testing.

[Miro-H]

You're right, with curl it does something (I haven't rebuilt the environment yet though). But what I get is not a valid crl.

[keyctl]

You're right, with curl it does something (I haven't rebuilt the environment yet though). But what I get is not a valid crl.

Apply the latest patch (which removes HTTP/2 for HTTP, rerunning Ansible is enough), and we should be able to merge this ;-)

[Miro-H]

You're right, with curl it does something (I haven't rebuilt the environment yet though). But what I get is not a valid crl.

Apply the latest patch (which removes HTTP/2 for HTTP, rerunning Ansible is enough), and we should be able to merge this ;-)

Hm, I pulled the newest changes, ran ansible, ran both cert and webserver from the latest sources but I still see the SSL error and the broken CRL from above. I will build a new infrastructure, maybe I broke something earlier.

[keyctl]

The error message still appears, yes, but the CRL can be downloaded correctly over HTTP using curl. I'm currently trying to get the CRLs chained and feed them to nginx.

[Miro-H]

The error message still appears, yes, but the CRL can be downloaded correctly over HTTP using curl. I'm currently trying to get the CRLs chained and feed them to nginx.

I can confirm this. CRL works now, the error is still there.

[keyctl]

I've tested this with 5f8fe0b and it seemed to work. Please use a new environment and make sure to use the local builds (a pull request for making this more convenient is pending at #60).

[Miro-H]

The SSL error is now finally gone for me too, but I'm not logged in when I provide the certificate. Is this expected?

[keyctl]

The SSL error is now finally gone for me too, but I'm not logged in when I provide the certificate. Is this expected?

I think @RequestForCoffee is already aware of that. Can we merge this and open an issue for authentication?