Hi guys,
A while ago, a feature was added to (19.1.7), namely
Quoteadding local CAs to the trusted SSL certificates for most of the system download capabilities, plugin-based PAM authentication rework for IPsec and the web proxy as well as third party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4
If you are a Nextcloud user using self-signed certs., like me, your backup may be failing, check this! If this is the case, the solution is to still add your self-signed CA to 'ca-root-nss.crt', after this the backup to your cloud will continue to work.
@franco, in forum post https://forum.opnsense.org/index.php?topic=12615.msg58252#msg58252 you said in #4 this feature was added, though, I'm experiecing the opposite and using the above solution. ;)
Thanks, mark
Hi mark,
Self-signed CA or certificate? There's a difference, because only the former works for this feature.
Cheers,
Franco
Hi franco,
Thanks for the super-fast response 8), so if I understand correctly, one still needs to add the CRT to 'ca-root-nss' even though I am using a chain?
Greetings, mark
Hmm, well, so is it a self-signed cert, or a self-signed CA with a cert? Is it a sub-ca?
It's the CA I have added to the store, the chain is CA -> LEAF -> CRT.
edit: sorry, I meant INTERMEDIATE, not LEAF
Does the NextCloud server send the intermediate? If not you need to add this one as well to authority section.
Cheers,
Franco
Thanks, you mean add it to 'ca-root-nss'?
If CA and intermediate are under System: Trust: Authorities this should start working automatically.
It may miss a sync trigger when editing trust entries... I'm not sure.
# configctl firmware configure
There's no reason the CA and intermediate won't turn up in the crt file then.
Cheers,
Franco
Yes, you see, there lies the problem, both ca & intermediate are added to 'etc/ssl/cert.pem', but it seems they are not used aince I still need to add the ca to 'ca-root-nss', or I'm missing something terribly ;D
I did run 'configctl firmware configure' OK
Thanks, mark
The funny thing is ca-root-nss.crt is not for editing because it is the upstream root bundle, not the system root bundle. Case in point is the health audit:
# pkg check -s ca_root_nss
Checking ca_root_nss: 0%
ca_root_nss-3.44.1: checksum mismatch for /usr/local/share/certs/ca-root-nss.crt
Checking ca_root_nss: 100%
Whatever tries to verify your SSL bounces it against the wrong file, but the feature is supposedly working as intended.
Cheers,
Franco
(I'll try to look at this when 19.7-RC1 is out.)
@franco: does curl default in the port still point on the wrong location?
Yes, it seems that way. Need to find out if this is libcurl or PHP's doing...
Oh lord, that makes no sense whatsoever as a default.
https://github.com/opnsense/ports/blob/master/ftp/curl/Makefile#L72
Quote from: franco on July 03, 2019, 07:38:46 PM
The funny thing is ca-root-nss.crt is not for editing because it is the upstream root bundle, not the system root bundle. Case in point is the health audit:
# pkg check -s ca_root_nss
Checking ca_root_nss: 0%
ca_root_nss-3.44.1: checksum mismatch for /usr/local/share/certs/ca-root-nss.crt
Checking ca_root_nss: 100%
Whatever tries to verify your SSL bounces it against the wrong file, but the feature is supposedly working as intended.
Cheers,
Franco
Well, need not to worry about the health check, I run my own, notified by tmux on it's bar, see link in #1 , #3 on that link. It's a remnant from when we did need to add it, but still works..
No worries, I will see when all the pieces make a puzzle again, until then, I have a working situation ;)
Greetings, mark
I understand, but others may raise issues because of failing health audits so it should be avoided as much as possible. 8)
Yep, you're right, though the wiki on self-signed certs, addresses this too, I will remove/archive that part as soon as this new situation works as it should. ;)
Greetings, mark
I think this will do it once 19.7.1 is out:
https://github.com/opnsense/ports/commit/0da99051d
Cheers,
Franco
Thanks franco, looks like that will work :P
Thanks franco, it's working perfectly fine 8)
I was still busy solving a problem with Sphinx on ArchLinux, see https://github.com/sphinx-doc/sphinx/issues/6597 which the programmers don't find urgent I think, so I was not ready with the wiki page, yet... :-[
Will adapt the changes soon as I have the time, somewhere tomorrow I think, be patient I will push them.
Greetings mark
Hi Mark,
Nice to hear. And thanks for keeping project devs on their toes everywhere. Appreciate it! :)
Cheers,
Franco