keystonejs/keystone-classic

Automated letsencrypt issuing bad certificate - Fake LE Root X1

Open

#4,660 opened on Jun 18, 2018

View on GitHub
 (0 comments) (0 reactions) (0 assignees)JavaScript (14,656 stars) (2,288 forks)batch import
4.x candidatehelp wantedquestion

Description

Expected behavior

Valid letsencrypt certificate should be issued.

Actual/Current behavior

An invalid certificate is issued by Fake LE Root X1

Steps to reproduce the actual/current behavior

  1. Set NODE_ENV=production in .env
  2. Add letsencrypt config as per this article.
  3. Run keystone
  4. Load in browser, no green padlock as certificate is invalid.

If I manually generate the certificate with certbot, then move the keys over, everything works properly.

Environment

Software Version
Keystone 4.0.0-beta.5
Node v6.12.3
Ubuntu 16.04

Contributor guide

Tech stack
javascriptnodejs
Domain
backenddevops
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
needs investigation
Prerequisites
Node.jsSSL/TLS basics
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
15
Research direction
Investigate the automated letsencrypt certificate generation in Keystone. Examine the relevant code (likely in the keystone SSL module) to identify why a 'Fake LE Root X1' certificate is issued instead of a valid one. Compare with manual certbot certificate generation. Look for misconfiguration, outdated ACME library, or issues with the directory endpoint. Check the Keystone documentation and any related issues for known fixes.