Temporarily issue both ECDSA and RSA from same issuer (#138 #144 #150)

The official Let's Encrypt boulder code only issues RSA certificates from RSA issuer certificates and only ECDSA certificates from an ECDSA issuer CA. Many people are having issues with this in LabCA. Until we have the option for multiple issuers per root CA and/or multiple CA chains in the GUI of LabCA, use the single issuer CA for both key types.
hakwerk · Jan 12, 2025 · 2cb4d79 · 2cb4d79
1 parent 6c40fc1
commit 2cb4d79
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/patch.sh b/patch.sh
@@ -21,6 +21,7 @@ fi
 $SUDO patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch
 $SUDO patch -p1 < $cloneDir/patches/ca_ca.patch
+$SUDO patch -p1 < $cloneDir/patches/ca_ca_keytype_hack.patch
 $SUDO patch -p1 < $cloneDir/patches/ca_crl.patch
 $SUDO patch -p1 < $cloneDir/patches/cert-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/cmd_config.patch

diff --git a/patches/ca_ca_keytype_hack.patch b/patches/ca_ca_keytype_hack.patch
@@ -0,0 +1,21 @@
+diff --git a/ca/ca.go b/ca/ca.go
+index 739ce53e7..2ccb11969 100644
+--- a/ca/ca.go
++++ b/ca/ca.go
+@@ -177,10 +177,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+ 		}
+ 	}
+ 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
+-		fmt.Println("WARNING: no ECDSA issuers configured")
++		// TODO: LabCA hack!
++		issuersByAlg[x509.ECDSA] = issuersByAlg[x509.RSA]
++		// fmt.Println("WARNING: no ECDSA issuers configured")
+ 	}
+ 	if i, ok := issuersByAlg[x509.RSA]; !ok || len(i) == 0 {
+-		fmt.Println("WARNING: no RSA issuers configured")
++		// TODO: LabCA hack!
++		issuersByAlg[x509.RSA] = issuersByAlg[x509.ECDSA]
++		// fmt.Println("WARNING: no RSA issuers configured")
+ 	}
+ 	return issuerMaps{issuersByAlg, issuersByNameID}, nil
+ }