Autocert: support multiple roots feature

[chris-lee-lb]

What would you like to be added

Need a way to also keep sync the latest root bundles from step-ca server. A simple idea is that maybe we can use step ca new --exec to execute step ca roots.

Why this is needed

To support step-ca support multiple roots feature.

[chris-lee-lb]

This features may also support step-ca federation feature as #21

[chris-lee-lb]

Or maybe we can make ca.certs.root_ca.crt of values.yaml can accept multiple pem files.

Currently I faced this error - CA fingerprint: error decoding /home/step/certs/root_ca.crt: contains more than one PEM encoded block.

Looks like autocert want to insert env var - STEP_FINGERPRINT when controller inject renewer sidecar, but I can not find any information that STEP_FINGERPRINT env is must for step ca renew command.

So maybe we can remove related logic for controller ?

[maraino]

Changing the code to avoid that error and support multiple files is quite simple. This is the code that shows that message:

autocert/controller/main.go

Lines 265 to 271 in f3ba90f

	// Generate CA fingerprint
	crt, err := pemutil.ReadCertificate(config.GetRootCAPath())
	if err != nil {
	return b, errors.Wrap(err, "CA fingerprint")
	}
	sum := sha256.Sum256(crt.Raw)
	fingerprint := strings.ToLower(hex.EncodeToString(sum[:]))

Assuming that the first certificate is the one used, to support multiple certs we will do something like this:

// Generate CA fingerprint
crts, err := pemutil.ReadCertificateBundle(config.GetRootCAPath())
if err != nil {
	return b, errors.Wrap(err, "CA fingerprint")
}
sum := sha256.Sum256(crts[0].Raw)
fingerprint := strings.ToLower(hex.EncodeToString(sum[:]))

That will solve that error message, the main problem with integrating that right now is having the time to test it.