We are using a web server in a docker container. At the moment our public private key is working fine. The problem we have is that our CAFile is not being included as an offered certificate when we test our site with https://www.ssllabs.com/. After reviewing solutions, I attempted to add the certification to a caCertPool and added it to the configutation. Even after doing that, SSL Labs still says it does not see it and we still get a B Score. Here is a code snippet of what I am attempting without luck so far.
certs, err := newStaticCerts(&static.Config{UseStaticFiles: cfg.IsProduction, FallbackToDisk: true, AbsPkgPath: getMessagePath()})
if err != nil {
log.WithFields(log.F("error", err)).Fatal("Issue initializing static certs")
}
httpKey, err := certs.ReadFile("/certs/website.com.key")
if err != nil {
log.WithFields(log.F("error", err)).Fatal("Issue loading tls key")
}
httpPem, err := certs.ReadFile("/certs/website.com.pem")
if err != nil {
log.WithFields(log.F("error", err)).Fatal("Issue loading tls pem")
}
caFilePem, err := certs.ReadFile("/certs/CAFile.pem")
if log.CheckErr(err, "Issue loading CAFile pem") {
return
}
// Load client cert
cert, err := tls.X509KeyPair(httpPem, httpKey)
if err != nil {
log.Fatal(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caFilePem)
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
//server := &http.Server{Addr: ":" + strconv.Itoa(cfg.AppPort), Handler: p.Serve(), TLSConfig: tlsConfig}
srv := &http.Server{
Addr: ":" + strconv.Itoa(cfg.AppPort),
Handler: p.Serve(),
TLSConfig: tlsConfig,
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
}
err = kmshttp.RunServer(srv)
if log.CheckErr(err, "shutting down server") {
return
}
The problem is when we check our Certification Paths, our RSA CA is an "Extra download" and not included on our site.