Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validating wildcard certificates #31

Open
mbrancato opened this issue May 1, 2020 · 0 comments
Open

Validating wildcard certificates #31

mbrancato opened this issue May 1, 2020 · 0 comments

Comments

@mbrancato
Copy link

mbrancato commented May 1, 2020

How does this plugin validate wildcard certificates? The PCF Documentation says the following:

Note: TLS certificates generated for wildcard DNS records only work for a single domain name component or component fragment. For example, a certificate generated for *.DOMAIN.com does not work for *.apps.DOMAIN.com and *.sys.DOMAIN.com. The certificate must have both *.apps.DOMAIN.com and *.sys.DOMAIN.com attributed to it.

This is not how most browsers operate for TLS trust, and the RFC covering wildcard certs states this check is optional, but the cf CLI does enforce this rule. I received an x509 trust error from the Vault CF plugin (its an older version) for a wildcard signed for *.DOMAIN.com by a public CA, but I didn't know if this plugin is explicitly enforcing the single domain name component or is that maybe a golang default?

My concern is now I have to pin the cert in the config, and I'd prefer to just let normal trust rules apply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant