Stream: inferno
Topic: Trusted CAs for Inferno local installs
Cooper Thompson (Apr 27 2021 at 21:01):
I've been digging through the source and the docker containers, but figured I'd just ask in case any of you know off the top of your head. I have a local deploy of Inferno using your docker containers. I want to add a local Cert Authority as trusted for the Ruby HTTP client you're using. Any idea where I can drop the CA cert in the docker container for Ruby to pick it up?
Robert Scanlon (Apr 28 2021 at 13:50):
I do not -- I recall it being a little tricky for some reason, but we should figure it out. We do have flags in config.yml to turn off SSL certificate validation (disable_verify_peer) and you can also disable the handful of tests we have throughout for checking TLS versions supported by the server (disable_tls_tests) . But that isn't a great solution. FYI @Michael O'Keefe @Stephen MacVicar
Stephen MacVicar (Apr 28 2021 at 13:54):
I believe you can put it anywhere and set the SSL_CERT_FILE environment variable to the path to the cert chain you want to use.
Stephen MacVicar (Apr 28 2021 at 13:59):
I believe that will make ruby ONLY look at that cert file, so if you need to add your custom cert to the system certs rather than replacing them it's a bit more complicated.
Cooper Thompson (Jul 06 2021 at 22:03):
Finally got around to testing this. I ended up making edits to the Dockerfile to append my local CA cert to the existing /etc/ssl/certs/ca-certificates.crt in the container, and then adding ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt. I couldn't figure out where openssl was pulling the default cert list from without SSL_CERT_FILE set.
You can test that the CA cert is working using openssl s_client -connect servername.com:443. If openssl is happy, then ruby will by happy.
Last updated: Apr 12 2022 at 19:14 UTC
