Trying to run Certmagic with Pebble as a development setup.
What steps did you take?
I retrieved the root certificate from the pebble server and added in to the default trustedRoots.
Then created a default instance and tried to retrieve a certificate for example.com.
package main
import (
"context"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"io"
"log"
"net/http"
"github.com/caddyserver/certmagic"
)
const DEV_ACME_URL = "https://localhost:14000/dir"
const DEV_ACME_URL_ROOT_CERT = "https://localhost:15000/roots/0"
func main() {
// get the root cert from pebble
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
res, err := client.Get(DEV_ACME_URL_ROOT_CERT)
if err != nil {
log.Fatal(err)
}
acmeRootCertPemBlock, err := io.ReadAll(res.Body)
if err != nil {
log.Fatal(err)
}
certDERBlock, _ := pem.Decode(acmeRootCertPemBlock)
if certDERBlock == nil {
log.Fatal("Failed to parse the certificate PEM.")
}
acmeRootCert, err := x509.ParseCertificate(certDERBlock.Bytes)
if err != nil {
log.Fatal(err)
}
// add cert to trusted roots
pool := x509.NewCertPool()
pool.AddCert(acmeRootCert)
certmagic.DefaultACME = certmagic.ACMEIssuer{
CA: DEV_ACME_URL,
TestCA: DEV_ACME_URL,
Email: "dev@localhost.tld",
Agreed: true,
TrustedRoots: pool,
}
// test setup
magic := certmagic.NewDefault()
magic.ManageSync(context.TODO(), []string{"example.com"}
}
What version of the package are you using?
v.0.19.2
What are you trying to do?
Trying to run Certmagic with Pebble as a development setup.
What steps did you take?
I retrieved the root certificate from the pebble server and added in to the default trustedRoots. Then created a default instance and tried to retrieve a certificate for
example.com
.docker-compose for pebble part
What did you expect to happen, and what actually happened instead?
I expected the client to be able to communicate with Pebble server. However it fails due to the certificate being signed by a unknown authority.
Error:
Please link to any related issues, pull requests, and/or discussion
This issues describes exactly the same issue. It suggests to add the certificate to the trusted stores, however it did not work for me.
https://github.com/caddyserver/certmagic/issues/191