scertecd: force renewal on issuer change

Update parseCertMeta to return errNeedNewCert whenever it detects a
change in the issuer regardless of how long is left on the certificate
lifetime. Add TestParseCertMetaIssuerChange to exercise this behavior.

Add .github/workflows/test.yml workflow to run tests for PRs

Updates tailscale/corp#28569

Signed-off-by: Patrick O'Doherty <[email protected]>

Author: patrickod

.github/workflows/test.yml

@@ -0,0 +1,19 @@
+name: Go Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version: 1.25
+      - run: go test -v ./...

scertecd/scertecd.go

@@ -1013,15 +1013,6 @@ func (s *Server) parseCertMeta(p []byte, privateCA bool) (*certMeta, error) {
 	if len(blocks) == 0 {
 		return nil, errors.New("no PEM blocks found")
 	}
-	if privateCA {
-		if len(blocks) < 2 {
-			return nil, errors.New("not enough PEM blocks found for private CA cert")
-		}
-	} else {
-		if len(blocks) < 3 {
-			return nil, errors.New("not enough PEM blocks found for LE cert")
-		}
-	}
 	if !strings.HasSuffix(blocks[0].Type, " PRIVATE KEY") {
 		return nil, errors.New("first PEM block is not a private key")
 	}
@@ -1052,6 +1043,17 @@ func (s *Server) parseCertMeta(p []byte, privateCA bool) (*certMeta, error) {
 			m.ValidStart = c.NotBefore
 		}
 	}
+	if m.Leaf == nil {
+		return nil, errors.New("no leaf cert found")
+	}
+
+	isLECert := strings.Contains(m.Leaf.Issuer.Organization[0], "Let's Encrypt")
+	if privateCA && isLECert {
+		return m, errNeedNewCert
+	}
+	if isLECert && len(certBlocks) < 2 {
+		return nil, errors.New("expected at least two certs (leaf + issuer) for Let's Encrypt cert")
+	}
 
 	if s.Now().After(m.RenewalTime()) {
 		return m, errNeedNewCert

scertecd/scertecd_test.go

@@ -1,6 +1,7 @@
 package scertecd
 
 import (
+	"bytes"
 	"crypto/ed25519"
 	crand "crypto/rand"
 	"crypto/x509"
@@ -19,7 +20,7 @@ import (
 	"github.com/tailscale/setec/setectest"
 )
 
-func rootCA(t *testing.T, orgName string) (privKey ed25519.PrivateKey, cert *x509.Certificate) {
+func rootCA(t *testing.T, commonName string) (privKey ed25519.PrivateKey, cert *x509.Certificate) {
 	t.Helper()
 
 	// create the test CA
@@ -34,8 +35,8 @@ func rootCA(t *testing.T, orgName string) (privKey ed25519.PrivateKey, cert *x50
 		IsCA:         true,
 		KeyUsage:     x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		Subject: pkix.Name{
-			CommonName:   "Test Root CA",
-			Organization: []string{orgName},
+			CommonName:   commonName,
+			Organization: []string{commonName},
 		},
 		BasicConstraintsValid: true,
 	}
@@ -61,6 +62,72 @@ func randSerial(t *testing.T) *big.Int {
 	return n
 }
 
+func TestParseCertMetaIssuerChange(t *testing.T) {
+	lePriv, leCert := rootCA(t, "Let's Encrypt")
+
+	// create a leaf cert signed by Let's Encrypt
+	leafPub, leafPriv, err := ed25519.GenerateKey(crand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pemBytes := new(bytes.Buffer)
+	pkb, err := x509.MarshalPKCS8PrivateKey(leafPriv)
+	if err != nil {
+		t.Fatalf("error marshaling root private key: %v", err)
+	}
+	pem.Encode(pemBytes, &pem.Block{Type: "EC PRIVATE KEY", Bytes: pkb})
+	leaf := x509.Certificate{
+		SerialNumber: randSerial(t),
+		NotBefore:    time.Now().Add(-7 * 24 * time.Hour),
+		NotAfter:     time.Now().Add(60 * 24 * time.Hour),
+		IsCA:         false,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+	}
+
+	leafDER, err := x509.CreateCertificate(crand.Reader, &leaf, leCert, leafPub, lePriv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pem.Encode(pemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER})
+
+	// append the leaf twice (as a fake intermediate) to appease the cert chain length checks
+	pem.Encode(pemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: leafDER})
+
+	cu := certUpdateCheck{
+		s: &Server{
+			Prefix: "test/scertec/",
+			Now:    time.Now,
+		},
+		dt: domainAndType{
+			domain:    "test.tailscale.example",
+			typ:       "ecdsa",
+			privateCA: false,
+		},
+		mu: sync.Mutex{},
+		lg: log.New(io.Discard, "", 0),
+	}
+
+	// parse the LE cert successfully (still with 60 days left)
+	cm, err := cu.s.parseCertMeta(pemBytes.Bytes(), false)
+	if err != nil {
+		t.Fatalf("error parsing cert meta: %v", err)
+	}
+	if cm == nil {
+		t.Fatal("got nil cert meta")
+	}
+
+	// swap to private CA mode and assert we get errNeedNewCert when we check again
+	cu.dt.privateCA = true
+	_, err = cu.s.parseCertMeta(pemBytes.Bytes(), true)
+	if err == nil {
+		t.Fatal("expected error parsing LE cert as private CA, got nil")
+	}
+	if err != errNeedNewCert {
+		t.Fatalf("expected errNeedNewCert, got: %v", err)
+	}
+}
+
 func TestPrivateCARenewal(t *testing.T) {
 	rootPrivKey, rootCert := rootCA(t, "Tailscale Root CA")