Fix for fetching alt root certs

eggsampler · Mar 20, 2020 · d967753 · d967753
1 parent 04972c7
commit d967753
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 19 deletions.
diff --git a/certificate.go b/certificate.go
@@ -67,12 +67,16 @@ func (c Client) FetchAllCertificates(account Account, certificateURL string) (ma
 
 	alternates := fetchLinks(resp, "alternate")
 
-	for _, v := range alternates {
-		altCertChain, err := c.decodeCertificateChain(body, resp, account)
+	for _, altURL := range alternates {
+		altResp, altBody, err := c.postRaw(0, altURL, account.URL, account.PrivateKey, "", []int{http.StatusOK})
 		if err != nil {
-			return certs, fmt.Errorf("acme: error fetching alt cert chain at %q - %v", v, err)
+			return certs, fmt.Errorf("acme: error fetching alt cert chain at %q - %v", altURL, err)
 		}
-		certs[v] = altCertChain
+		altCertChain, err := c.decodeCertificateChain(altBody, altResp, account)
+		if err != nil {
+			return certs, fmt.Errorf("acme: error decoding alt cert chain at %q - %v", altURL, err)
+		}
+		certs[altURL] = altCertChain
 	}
 
 	return certs, nil

diff --git a/certificate_test.go b/certificate_test.go
@@ -1,8 +1,6 @@
 package acme
 
 import (
-	"os"
-	"strconv"
 	"testing"
 )
 
@@ -26,10 +24,6 @@ func TestClient_FetchCertificates(t *testing.T) {
 }
 
 func TestClient_FetchAllCertificates(t *testing.T) {
-	if testClientMeta.Software == clientBoulder {
-		t.Skip("boulder doesnt support alt cert chains: https://github.com/letsencrypt/boulder/issues/4567")
-		return
-	}
 	account, order, _ := makeOrderFinalised(t, nil)
 	if order.Certificate == "" {
 		t.Fatalf("no certificate: %+v", order)
@@ -38,16 +32,22 @@ func TestClient_FetchAllCertificates(t *testing.T) {
 	if err != nil {
 		t.Fatalf("expeceted no error, got: %v", err)
 	}
-	roots, ok := os.LookupEnv("PEBBLE_ALTERNATE_ROOTS")
-	if !ok {
-		return
-	}
-	numRoots, err := strconv.Atoi(roots)
-	if err != nil {
-		panic(err)
+
+	if len(certs) == 1 {
+		t.Skip("no alternative root certificates")
 	}
-	if numRoots > 0 && len(certs) <= numRoots {
-		t.Fatalf("expected > %d cert chains, got: %d", numRoots, len(certs))
+
+	for url1, certs1 := range certs {
+		for url2, certs2 := range certs {
+			if url2 == url1 {
+				continue
+			}
+			root1 := certs1[len(certs1)-1].Issuer.String()
+			root2 := certs2[len(certs2)-1].Issuer.String()
+			if root1 == root2 {
+				t.Fatalf("same root on cetificates: %s", root1)
+			}
+		}
 	}
 }