Closed komuw closed 1 year ago
I think it is fine the way it is, maybe what we need to do is change; https://github.com/komuw/ong/blob/faf6e54525e946ebce6ca62a1ac98d4e7f860fa8/internal/acme/client.go#L810 to;
c, err := io.ReadAll(io.LimitReader(res.Body, someMaxvalue))
The reason why it is fine as is, is because when we do io.readAll(response)
; even if the response is a chain, it will be read and saved.
Actually I checked, and ong/acme
is doing the right thing and downloading the chain.
What is left is just to limit the maximum size of certificates we allow to download to prevent denial of service.
https://letsencrypt.org/2023/07/10/cross-sign-expiration.html says;
And https://datatracker.ietf.org/doc/html/rfc8555#section-7.4.2;
Which is defined by https://datatracker.ietf.org/doc/html/rfc8555#section-9 as;
see: https://github.com/golang/crypto/blob/v0.11.0/acme/rfc8555.go#L400-L424