Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-3282

Ability to override CAfile and CApath for url_get()

    XMLWordPrintable

    Details

      Description

      Running 3.15.0 on an opensuse host I had issues querying some https host.

      opensuse15:~ # cat /etc/os-release 
      NAME="openSUSE Leap"
      VERSION="15.2 Alpha"
      ID="opensuse-leap"
      ID_LIKE="suse opensuse"
      VERSION_ID="15.2"
      PRETTY_NAME="openSUSE Leap 15.2 Alpha"
      ANSI_COLOR="0;32"
      CPE_NAME="cpe:/o:opensuse:leap:15.2"
      BUG_REPORT_URL="https://bugs.opensuse.org"
      HOME_URL="https://www.opensuse.org/"
      

      I set url.verbose to 1 and I saw the problem was in setting the certificate verify locations.

      opensuse15:~ # cf-agent -KIb lynis:main --define DEBUG --show-evaluated-vars > /tmp/out
          Trying 37.97.194.171:443...
        TCP_NODELAY set
        Connected to downloads.cisofy.com (37.97.194.171) port 443 (#0)
        ALPN, offering http/1.1
        error setting certificate verify locations:
        CAfile: /etc/pki/tls/certs/ca-bundle.crt
        CApath: none
        Closing connection 0
      opensuse15:~ # 
      

      I think that I should be able to set those paths using options. To get it working I had to symlink things to the expected location.

      opensuse15:~ # ls /etc/ssl/ -al
      total 28
      drwxr-xr-x 1 root root   142 Dec 22 18:38 .
      drwxr-xr-x 1 root root  4392 Dec 22 21:10 ..
      lrwxrwxrwx 1 root root    38 Sep 20 15:42 ca-bundle.pem -> /var/lib/ca-certificates/ca-bundle.pem
      lrwxrwxrwx 1 root root    28 Sep 20 15:42 certs -> /var/lib/ca-certificates/pem
      -rw-r--r-- 1 root root   412 Dec  6 09:59 ct_log_list.cnf
      -rw-r--r-- 1 root root   412 Dec  6 09:59 ct_log_list.cnf.dist
      -rw-r--r-- 1 root root 10909 Dec  6 09:59 openssl.cnf
      drwx------ 1 root root     0 Dec  6 09:59 private
      
      mkdir -p /etc/pki/tls/certs/
      ln -s /var/lib/ca-certificates/ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt
      

      That got me further.

      opensuse15:~ # cf-agent -KIb lynis:main --define DEBUG --show-evaluated-vars > /tmp/out
      *   Trying 37.97.194.171:443...
      * TCP_NODELAY set
      * Connected to downloads.cisofy.com (37.97.194.171) port 443 (#0)
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
        CApath: none
      * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
      * ALPN, server accepted to use http/1.1
      * Server certificate:
      *  subject: CN=*.cisofy.com
      *  start date: Mar  2 00:00:00 2018 GMT
      *  expire date: Mar 22 12:00:00 2020 GMT
      *  subjectAltName: host "downloads.cisofy.com" matched cert's "*.cisofy.com"
      *  issuer: C=NL; O=Trust Provider B.V.; OU=Domain Validated SSL; CN=Trust Provider B.V. TLS RSA CA G1
      *  SSL certificate verify ok.
      > GET /lynis/lynis-2.7.5.tar.gz HTTP/1.1
      Host: downloads.cisofy.com
      Accept: */*
      
      * Mark bundle as not supporting multiuse
      < HTTP/1.1 200 OK
      < Server: nginx
      < Date: Thu, 27 Feb 2020 17:56:38 GMT
      < Content-Type: application/octet-stream
      < Content-Length: 288688
      < Last-Modified: Mon, 24 Jun 2019 13:56:27 GMT
      < Connection: keep-alive
      < ETag: "5d10d68b-467b0"
      < Expires: Thu, 12 Mar 2020 17:56:38 GMT
      < Cache-Control: max-age=1209600
      < Cache-Control: public
      < Vary: Accept-Encoding
      < Accept-Ranges: bytes
      < 
      * Connection #0 to host downloads.cisofy.com left intact
      *   Trying 37.97.194.171:443...
      * TCP_NODELAY set
      * Connected to downloads.cisofy.com (37.97.194.171) port 443 (#0)
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
        CApath: none
      * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
      * ALPN, server accepted to use http/1.1
      * Server certificate:
      *  subject: CN=*.cisofy.com
      *  start date: Mar  2 00:00:00 2018 GMT
      *  expire date: Mar 22 12:00:00 2020 GMT
      *  subjectAltName: host "downloads.cisofy.com" matched cert's "*.cisofy.com"
      *  issuer: C=NL; O=Trust Provider B.V.; OU=Domain Validated SSL; CN=Trust Provider B.V. TLS RSA CA G1
      *  SSL certificate verify ok.
      > GET /lynis/lynis-2.7.5.tar.gz HTTP/1.1
      Host: downloads.cisofy.com
      Accept: */*
      
      fi* Mark bundle as not supporting multiuse
      < HTTP/1.1 200 OK
      < Server: nginx
      < Date: Thu, 27 Feb 2020 17:56:40 GMT
      < Content-Type: application/octet-stream
      < Content-Length: 288688
      < Last-Modified: Mon, 24 Jun 2019 13:56:27 GMT
      < Connection: keep-alive
      < ETag: "5d10d68b-467b0"
      < Expires: Thu, 12 Mar 2020 17:56:40 GMT
      < Cache-Control: max-age=1209600
      < Cache-Control: public
      < Vary: Accept-Encoding
      < Accept-Ranges: bytes
      < 
      le * Connection #0 to host downloads.cisofy.com left intact
      

      Unfortunately, I still couldn't cross the finish line with what I was attempting. I was trying to use url_get() to download a tar.gz, but I couldn't figure out how to write the binary data in url_get() content response to disk correctly. Which is why I think we still need CFE-1627.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                a10042 Nick Anderson
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Summary Panel