Project

General

Profile

Feature #11814

Feature #11809: Deal with tails.b.o's X.509 certificate expiring early 2017

Have DAVE also trust Let's Encrypt CA

Added by intrigeri about 3 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Installation
Target version:
Start date:
09/20/2016
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

We're told that https://tails.b.o will likely switch to Let's Encrypt certificates around the end of the year, so DAVE needs to trust Let's Encrypt CA somehow. Ideally, it would trust Let's Encrypt current intermediate CA, instead of the DST root CA (see #11810 for details). But if this does not work, then DAVE needs to trust both the root CA currently used by Let's Encrypt (i.e. the DST one) and Let's Encrypt own root CA that will be used in the future.

Note the also in the ticket title: DAVE needs to keep trusting the currently used CA until the tails.b.o webserver switches to the new one. What needs to be done is to make it also trust the CA that will be used in the future. I had a quick look at conf.json and at first glance, it looks like such CA transition processes are not supported, which seems surprising to me given it's a pretty common use case. I hope I'm wrong, and even if I got it right, I hope that it's easy to add support for this use case :)

To ease development and testing, I've setup a descriptor on a web server that already uses Let's Encrypt: https://labs.riseup.net/test/tails.boum.org/install/v1/Tails/i386/stable/latest.yml. So one should be able to test pinning changes against something that looks very much like our future production setup.

History

#1 Updated by intrigeri about 3 years ago

  • Subject changed from Have DAVE trust Let's Encrypt CA to Have DAVE also trust Let's Encrypt CA
  • Description updated (diff)

#2 Updated by intrigeri about 3 years ago

  • Assignee set to ma1

Hi Giorgio! Do you think you can take care of this in October?

#3 Updated by ma1 about 3 years ago

intrigeri wrote:

Hi Giorgio! Do you think you can take care of this in October?

Sure, I'll do it.

#4 Updated by intrigeri about 3 years ago

Sure, I'll do it.

Thanks a lot!

#5 Updated by ma1 about 3 years ago

  • Assignee changed from ma1 to intrigeri
  • QA Check set to Ready for QA

#6 Updated by intrigeri about 3 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 50

#7 Updated by intrigeri about 3 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Looks good to me, thanks!

#8 Updated by intrigeri about 3 years ago

  • Assignee deleted (intrigeri)

#9 Updated by intrigeri almost 2 years ago

  • Affected tool deleted (Download and Verification Extension)

Also available in: Atom PDF