Duplicate x509 basic constraints extension in self-signed cert #21
Description
A duplicate extension field in the self-signed cert for dex raises an error in dns3ld:
dns3l-dns3ld | panic: could not initialize new OIDC binding for https://auth:5554/auth: Get "https://auth:5554/auth/.well-known/openid-configuration": tls: failed to parse certificate from server: x509: certificate contains duplicate extensions
dns3l-dns3ld |
dns3l-dns3ld | goroutine 1 [running]:
dns3l-dns3ld | main.glob..func1(0xeeab80?, {0xa5ab74?, 0x4?, 0x4?})
dns3l-dns3ld | /go/build/cmd/dns3ld/main.go:53 +0x1d0
dns3l-dns3ld | github.com/spf13/cobra.(*Command).execute(0xeeab80, {0xc0000220b0, 0x4, 0x4})
dns3l-dns3ld | /go/pkg/mod/github.com/spf13/cobra@v1.4.0/command.go:860 +0x663
dns3l-dns3ld | github.com/spf13/cobra.(*Command).ExecuteC(0xeeab80)
dns3l-dns3ld | /go/pkg/mod/github.com/spf13/cobra@v1.4.0/command.go:974 +0x3bd
dns3l-dns3ld | github.com/spf13/cobra.(*Command).Execute(...)
dns3l-dns3ld | /go/pkg/mod/github.com/spf13/cobra@v1.4.0/command.go:902
dns3l-dns3ld | main.Execute()
dns3l-dns3ld | /go/build/cmd/dns3ld/main.go:106 +0x186
dns3l-dns3ld | main.main()
dns3l-dns3ld | /go/build/cmd/dns3ld/main.go:17 +0x29
When looking at the X509 extensions of the generated and presented cert we can see there is a double "Basic Constraints" extension field:
X509v3 extensions:
[...]
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Basic Constraints:
CA:FALSE
[...]
Here is the line setting it to CA:false:
Line 125 in 5b89bcb
When removing the line it works (workaround). We need to set CA:false in a way that it overwrites the previously set extension.
Probably, earlier TLS client libs used by dns3ld have been ignoring the error, this may be the reason why it id not appear before.