Temporarily issue both ECDSA and RSA from same issuer (#138 #144 #150)

The official Let's Encrypt boulder code only issues RSA certificates from RSA issuer certificates and only ECDSA certificates from an ECDSA issuer CA. Many people are having issues with this in LabCA. Until we have the option for multiple issuers per root CA and/or multiple CA chains in the GUI of LabCA, use the single issuer CA for both key types.
2026-01-27 10:19:34 +00:00 · 2025-01-12 10:30:36 +01:00
parent 6c40fc1940
commit 2cb4d797ec
2 changed files with 22 additions and 0 deletions
--- a/patch.sh
+++ b/patch.sh
@@ -21,6 +21,7 @@ fi
 $SUDO patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch
 $SUDO patch -p1 < $cloneDir/patches/ca_ca.patch
+$SUDO patch -p1 < $cloneDir/patches/ca_ca_keytype_hack.patch
 $SUDO patch -p1 < $cloneDir/patches/ca_crl.patch
 $SUDO patch -p1 < $cloneDir/patches/cert-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/cmd_config.patch
--- a/patches/ca_ca_keytype_hack.patch
+++ b/patches/ca_ca_keytype_hack.patch
@@ -0,0 +1,21 @@
+diff --git a/ca/ca.go b/ca/ca.go
+index 739ce53e7..2ccb11969 100644
+--- a/ca/ca.go
+++ b/ca/ca.go
+@@ -177,10 +177,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+ 		}
+ 	}
+ 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
+-		fmt.Println("WARNING: no ECDSA issuers configured")
+		// TODO: LabCA hack!
+		issuersByAlg[x509.ECDSA] = issuersByAlg[x509.RSA]
+		// fmt.Println("WARNING: no ECDSA issuers configured")
+ 	}
+ 	if i, ok := issuersByAlg[x509.RSA]; !ok || len(i) == 0 {
+-		fmt.Println("WARNING: no RSA issuers configured")
+		// TODO: LabCA hack!
+		issuersByAlg[x509.RSA] = issuersByAlg[x509.ECDSA]
+		// fmt.Println("WARNING: no RSA issuers configured")
+ 	}
+ 	return issuerMaps{issuersByAlg, issuersByNameID}, nil
+ }