tlsctl issueshttps://gitlab.com/gitlab-org/ci-cd/runner-tools/tlsctl/-/issues2022-01-07T00:07:32Zhttps://gitlab.com/gitlab-org/ci-cd/runner-tools/tlsctl/-/issues/5casting the serial number2022-01-07T00:07:32ZBen Prescott_casting the serial numberI noticed that the serial numbers specified in `info` do not match the files on disk.
```shell
$ ../tlsctl-linux-amd64 info --path git.watertower/4111
---
Serial: 100f
Subject:
```
OpenSSL shows them both:
```shell
$ openssl x509 ...I noticed that the serial numbers specified in `info` do not match the files on disk.
```shell
$ ../tlsctl-linux-amd64 info --path git.watertower/4111
---
Serial: 100f
Subject:
```
OpenSSL shows them both:
```shell
$ openssl x509 -text -noout -in git.watertower/4111
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4111 (0x100f)
```
Noticed when working with `CAChain.crt`, because the specified serials don't match the filenames - should you want to inspect the certs direct.
```shell
$ ../tlsctl-linux-amd64 info --path gitlab.com/CAChain.crt | grep Serial
Serial: 1a407c8e793fcf051e22a0b2989de64
Serial: 7a29851ab7f45d6679506641b6ffd71d
Serial: 4000000000121585308a2
$ ls gitlab.com/
162381399334300351237757892920061450013 2180922574754299852229941692052659812 4835703278459759426209954 CAChain.crt
```
linux binary off: https://gitlab.com/gitlab-org/ci-cd/runner-tools/tlsctl/-/pipelines/398129810https://gitlab.com/gitlab-org/ci-cd/runner-tools/tlsctl/-/issues/4tlsctl save doesn't always process the full chain2022-01-07T00:07:33ZBen Prescott_tlsctl save doesn't always process the full chainI'm testing [the most recent master build](https://gitlab.com/gitlab-org/ci-cd/runner-tools/tlsctl/-/jobs/1728769052/artifacts/browse) and I'm not getting the full chain being downloaded.
gitlab.com works as expected:
```shell
~/Downlo...I'm testing [the most recent master build](https://gitlab.com/gitlab-org/ci-cd/runner-tools/tlsctl/-/jobs/1728769052/artifacts/browse) and I'm not getting the full chain being downloaded.
gitlab.com works as expected:
```shell
~/Downloads/build$ ./tlsctl-linux-amd64 save --url https://gitlab.com
INFO[0000] Save CAChain path=data/gitlab.com/CAChain.crt
INFO[0000] Save cert file path=data/gitlab.com/2180922574754299852229941692052659812 serial=2180922574754299852229941692052659812 subject="CN=about.gitlab.com"
INFO[0000] Save cert file path=data/gitlab.com/162381399334300351237757892920061450013 serial=162381399334300351237757892920061450013 subject="CN=GlobalSign Atlas R3 DV TLS CA H2 2021,O=GlobalSign nv-sa,C=BE"
INFO[0000] Save cert file path=data/gitlab.com/4835703278459759426209954 serial=4835703278459759426209954 subject="CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign"
```
My GitLab does not.
```shell
~/Downloads/build$ ./tlsctl-linux-amd64 save --url https://git.watertower
INFO[0001] Save CAChain path=data/git.watertower/CAChain.crt
INFO[0001] Save cert file path=data/git.watertower/4111 serial=4111 subject="CN=gander.watertower,OU=general,O=watertower,L=Bournemouth,ST=England,C=GB"
~/Downloads/build$ diff ./data/git.watertower/4111 ./data/git.watertower/CAChain.crt
27c27
< -----END CERTIFICATE-----
---
> -----END CERTIFICATE-----
\ No newline at end of file
```
But there's definitely a second cert in the chain:
```shell
~/Downloads/build$ echo | openssl s_client -connect git.watertower:443 -showcerts 2>/dev/null
CONNECTED(00000005)
---
Certificate chain
0 s:C = GB, ST = England, L = Bournemouth, O = watertower, OU = general, CN = gander.watertower
i:C = GB, ST = England, O = watertower, OU = pki, CN = sign20190513.pki.watertower
-----BEGIN CERTIFICATE-----
MIIEjDCCAnSgAwIBAgICEA8wDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCR0Ix
EDAOBgNVBAgMB0VuZ2xhbmQxEzARBgNVBAoMCndhdGVydG93ZXIxDDAKBgNVBAsM
A3BraTEkMCIGA1UEAwwbc2lnbjIwMTkwNTEzLnBraS53YXRlcnRvd2VyMB4XDTIx
(snip)
rDyd+vmedjH4IHEr8p5MWZTfnTvGamV7kAasXZAOdSeZkT17+MohRIpGq/EI6ykX
CUuuJJh7P4Ue+KvoE6aT+HJUgw+nbwUPKjjBQ4ca0TWGR/Z4czYd6/UkxE1w0Z7X
aaDguay+eK+CYxNvrGKLLw==
-----END CERTIFICATE-----
1 s:C = GB, ST = England, O = watertower, OU = pki, CN = sign20190513.pki.watertower
i:C = GB, ST = England, L = Bournemouth, O = watertower, OU = pki, CN = root20190513.pki.watertower
-----BEGIN CERTIFICATE-----
MIIFyDCCA7CgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwfjELMAkGA1UEBhMCR0Ix
EDAOBgNVBAgMB0VuZ2xhbmQxFDASBgNVBAcMC0JvdXJuZW1vdXRoMRMwEQYDVQQK
DAp3YXRlcnRvd2VyMQwwCgYDVQQLDANwa2kxJDAiBgNVBAMMG3Jvb3QyMDE5MDUx
(snip)
CCN7sXOV7oenYCBzaLAFUGiTDBFQC295oCq1TiJnQYZJjEUjAPO9/wFpK0QD0RQ6
1ucUXhnzb9NIkagte+wHWbuFZH9VpTs6cJ8j9CSqVmzQzt6XlS221g+ylR33kXsu
Ggpwxq36+qjknUs3+6JC0Qdck+ejKVwTMrWd9yZ/gK/SSMayJnWTPD4IFkQ=
-----END CERTIFICATE-----
---
Server certificate
subject=C = GB, ST = England, L = Bournemouth, O = watertower, OU = general, CN = gander.watertower
issuer=C = GB, ST = England, O = watertower, OU = pki, CN = sign20190513.pki.watertower
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3217 bytes and written 396 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
```https://gitlab.com/gitlab-org/ci-cd/runner-tools/tlsctl/-/issues/3Add runbook2021-06-16T00:14:35ZSteve Xuerebsxuereb@gitlab.comAdd runbook## Overview
The README.md file shows how to use the tool. We should add information on when to use the tool and how to use it to gather the necessary information to debug specific problems.## Overview
The README.md file shows how to use the tool. We should add information on when to use the tool and how to use it to gather the necessary information to debug specific problems.https://gitlab.com/gitlab-org/ci-cd/runner-tools/tlsctl/-/issues/2Save original chain returned from server2021-06-16T00:14:37ZSteve Xuerebsxuereb@gitlab.comSave original chain returned from serverFor `save` command we should also save the certificate sent from the server in its original stateFor `save` command we should also save the certificate sent from the server in its original statehttps://gitlab.com/gitlab-org/ci-cd/runner-tools/tlsctl/-/issues/1Add CI to publish binaries2021-11-02T16:17:32ZSteve Xuerebsxuereb@gitlab.comAdd CI to publish binariesAdd a CI job to publish an artifact with the binaryAdd a CI job to publish an artifact with the binaryBacklog