[Sovled] Own package mirror with "self-signed" certificate

Started by ronott, September 23, 2020, 11:53:04 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 23, 2020, 11:53:04 AM Last Edit: September 24, 2020, 09:34:42 AM by ronott
Hi,

I set up a package mirror for OPNsense with a SSL/TLS certificate signed by a private Certificate Authority (Corp. environment, multiple firewall clusters).

After lots of googling, the only way to add our private CA I've found, was to append our Root- and Intermediate-Certificate to [/usr/local]/etc/ssl/cert.pem which gets overwritten everytime the ca_root_nss package is updated or OPNsense is rebooted. Is this really the only way to add a private CA-Cert in FreeBSD?

Adding the certs to System::Trust::Authorities doesn't help. <-- It does help and sovles the issue
The way described by (0) doesn't work for the pkg command (it works when using the openssl command though).

(0) https://blog.socruel.nu/freebsd/how-to-install-private-CA-on-freebsd.html
September 23, 2020, 05:49:43 PM #1
sorry. whats wrong with " System::Trust::Authorities"?
Quotegets overwritten everytime the ca_root_nss package is updated or OPNsense is rebooted
afaik opnsense gets description and  <crt>s from config, adds it to ca_root_nss content and copy result to cert.pem
September 24, 2020, 09:23:15 AM #2 Last Edit: September 24, 2020, 09:32:57 AM by ronott
Quote from: Fright on September 23, 2020, 05:49:43 PM
whats wrong with " System::Trust::Authorities"?
I put my certificates (Root CA and Issuing Intermediate CA) there but the update function still didn't accept my mirror's certificate.
I'll try that again.

Edit:
Feeling kinda dumb right now ... Just added our certificates again, and it worked ... Thanks for the hint!
September 24, 2020, 11:37:55 AM #3
Hi,

I think this one was fixed in 19.1.7 a while back:

o system: cleanly rewrite CA root files and add local trusted CAs as well


Cheers,
Franco
Print
Go Up Pages1
User actions