Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-3282

Ability to override CAfile and CApath and disable certificate checking for url_get()

    XMLWordPrintable

    Details

      Description

      Running 3.15.0 on an opensuse host I had issues querying some https host.

      It would be nice if I could specify the CAfile and CApath or simply choose to disable certificate checking.

      opensuse15:~ # cat /etc/os-release 
NAME="openSUSE Leap"
VERSION="15.2 Alpha"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.2"
PRETTY_NAME="openSUSE Leap 15.2 Alpha"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.2"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"

      I set url.verbose to 1 and I saw the problem was in setting the certificate verify locations.

      opensuse15:~ # cf-agent -KIb lynis:main --define DEBUG --show-evaluated-vars > /tmp/out
    Trying 37.97.194.171:443...
  TCP_NODELAY set
  Connected to downloads.cisofy.com (37.97.194.171) port 443 (#0)
  ALPN, offering http/1.1
  error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
  Closing connection 0
opensuse15:~ #

      I think that I should be able to set those paths using options. To get it working I had to symlink things to the expected location.

      opensuse15:~ # ls /etc/ssl/ -al
total 28
drwxr-xr-x 1 root root   142 Dec 22 18:38 .
drwxr-xr-x 1 root root  4392 Dec 22 21:10 ..
lrwxrwxrwx 1 root root    38 Sep 20 15:42 ca-bundle.pem -> /var/lib/ca-certificates/ca-bundle.pem
lrwxrwxrwx 1 root root    28 Sep 20 15:42 certs -> /var/lib/ca-certificates/pem
-rw-r--r-- 1 root root   412 Dec  6 09:59 ct_log_list.cnf
-rw-r--r-- 1 root root   412 Dec  6 09:59 ct_log_list.cnf.dist
-rw-r--r-- 1 root root 10909 Dec  6 09:59 openssl.cnf
drwx------ 1 root root     0 Dec  6 09:59 private

mkdir -p /etc/pki/tls/certs/
ln -s /var/lib/ca-certificates/ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt

      That got me further.

      opensuse15:~ # cf-agent -KIb lynis:main --define DEBUG --show-evaluated-vars > /tmp/out
*   Trying 37.97.194.171:443...
* TCP_NODELAY set
* Connected to downloads.cisofy.com (37.97.194.171) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.cisofy.com
*  start date: Mar  2 00:00:00 2018 GMT
*  expire date: Mar 22 12:00:00 2020 GMT
*  subjectAltName: host "downloads.cisofy.com" matched cert's "*.cisofy.com"
*  issuer: C=NL; O=Trust Provider B.V.; OU=Domain Validated SSL; CN=Trust Provider B.V. TLS RSA CA G1
*  SSL certificate verify ok.
> GET /lynis/lynis-2.7.5.tar.gz HTTP/1.1
Host: downloads.cisofy.com
Accept: */*

* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 27 Feb 2020 17:56:38 GMT
< Content-Type: application/octet-stream
< Content-Length: 288688
< Last-Modified: Mon, 24 Jun 2019 13:56:27 GMT
< Connection: keep-alive
< ETag: "5d10d68b-467b0"
< Expires: Thu, 12 Mar 2020 17:56:38 GMT
< Cache-Control: max-age=1209600
< Cache-Control: public
< Vary: Accept-Encoding
< Accept-Ranges: bytes
< 
* Connection #0 to host downloads.cisofy.com left intact
*   Trying 37.97.194.171:443...
* TCP_NODELAY set
* Connected to downloads.cisofy.com (37.97.194.171) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.cisofy.com
*  start date: Mar  2 00:00:00 2018 GMT
*  expire date: Mar 22 12:00:00 2020 GMT
*  subjectAltName: host "downloads.cisofy.com" matched cert's "*.cisofy.com"
*  issuer: C=NL; O=Trust Provider B.V.; OU=Domain Validated SSL; CN=Trust Provider B.V. TLS RSA CA G1
*  SSL certificate verify ok.
> GET /lynis/lynis-2.7.5.tar.gz HTTP/1.1
Host: downloads.cisofy.com
Accept: */*

fi* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 27 Feb 2020 17:56:40 GMT
< Content-Type: application/octet-stream
< Content-Length: 288688
< Last-Modified: Mon, 24 Jun 2019 13:56:27 GMT
< Connection: keep-alive
< ETag: "5d10d68b-467b0"
< Expires: Thu, 12 Mar 2020 17:56:40 GMT
< Cache-Control: max-age=1209600
< Cache-Control: public
< Vary: Accept-Encoding
< Accept-Ranges: bytes
< 
le * Connection #0 to host downloads.cisofy.com left intact

      Unfortunately, I still couldn't cross the finish line with what I was attempting. I was trying to use url_get() to download a tar.gz, but I couldn't figure out how to write the binary data in url_get() content response to disk correctly. Which is why I think we still need CFE-1627.

        Attachments

          Issue Links

          relates to

          Task - A task that needs to be done. CFE-1627 Support for http/ftp (or other URI patters) in copy_from

          • Higher - Almost a blocker
          • Open

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              a10042 Nick Anderson
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: