From 0e5913310d2692d0e71b992880cb98b2022274d6 Mon Sep 17 00:00:00 2001 From: Elvin Efendi Date: Thu, 4 Jul 2019 17:30:25 -0400 Subject: [PATCH 1/2] dynamic cert mode should understand domain with trailing dot --- rootfs/etc/nginx/lua/certificate.lua | 4 +++- rootfs/etc/nginx/lua/test/certificate_test.lua | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/rootfs/etc/nginx/lua/certificate.lua b/rootfs/etc/nginx/lua/certificate.lua index e07ebcb08..cf46f92e5 100644 --- a/rootfs/etc/nginx/lua/certificate.lua +++ b/rootfs/etc/nginx/lua/certificate.lua @@ -28,7 +28,9 @@ local function set_pem_cert_key(pem_cert_key) end end -local function get_pem_cert_key(hostname) +local function get_pem_cert_key(raw_hostname) + local hostname = re_sub(raw_hostname, "\\.$", "", "jo") + local pem_cert_key = configuration.get_pem_cert_key(hostname) if pem_cert_key then return pem_cert_key diff --git a/rootfs/etc/nginx/lua/test/certificate_test.lua b/rootfs/etc/nginx/lua/test/certificate_test.lua index 2de532ad6..e47231655 100644 --- a/rootfs/etc/nginx/lua/test/certificate_test.lua +++ b/rootfs/etc/nginx/lua/test/certificate_test.lua @@ -66,6 +66,20 @@ describe("Certificate", function() assert_certificate_is_set(EXAMPLE_CERT) end) + it("sets certificate and key for domain with trailing dot", function() + ssl.server_name = function() return "hostname.", nil end + ngx.shared.certificate_data:set("hostname", EXAMPLE_CERT) + + assert_certificate_is_set(EXAMPLE_CERT) + end) + + it("fallbacks to default certificate and key for domain with many trailing dots", function() + ssl.server_name = function() return "hostname..", nil end + ngx.shared.certificate_data:set("hostname", EXAMPLE_CERT) + + assert_certificate_is_set(DEFAULT_CERT) + end) + it("sets certificate and key for nested wildcard cert", function() ssl.server_name = function() return "sub.nested.hostname", nil end ngx.shared.certificate_data:set("*.nested.hostname", EXAMPLE_CERT) From 08906ef8f2c4d59b6bb5d4b81fbd0812ce127de5 Mon Sep 17 00:00:00 2001 From: Elvin Efendi Date: Thu, 4 Jul 2019 18:39:29 -0400 Subject: [PATCH 2/2] add comment to the test --- test/e2e/lua/dynamic_certificates.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/e2e/lua/dynamic_certificates.go b/test/e2e/lua/dynamic_certificates.go index dd374143b..e66c7e8d6 100644 --- a/test/e2e/lua/dynamic_certificates.go +++ b/test/e2e/lua/dynamic_certificates.go @@ -130,6 +130,11 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() { ensureHTTPSRequest(f.GetURL(framework.HTTPS), host, host) }) + /* + TODO(elvinefendi): this test currently does not work as expected + because Go transport code strips (https://github.com/golang/go/blob/431b5c69ca214ce4291f008c1ce2a50b22bc2d2d/src/crypto/tls/handshake_messages.go#L424) + trailing dot from SNI as suggest by the standard (https://tools.ietf.org/html/rfc6066#section-3). + */ It("supports requests with domain with trailing dot", func() { ensureHTTPSRequest(f.GetURL(framework.HTTPS), host+".", host) })