[Nix-dev] Installing CA certificates
zimbatm
zimbatm at zimbatm.com
Sat Feb 20 00:58:55 CET 2016
I am starting to think that the installed certificate is not the right-one.
What if you run `curl --cacert /path/to/cert.pem -v https://yourservi
<https://yourservie>ce` ? It would be useful to get the full output to make
sure we didn't miss anything. And also the output of `openssl x509 -in
/path/to/cert.pem -text`.
On Fri, 19 Feb 2016 at 22:28 Adam Russell <adamlr6 at gmail.com> wrote:
> Using that page as reference, I ran this command:
>
> certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n DEV.LOCAL -i
> /etc/ssl/certs/ca-certificates.crt
>
> That page did lead me to some other pages that might be helpful:
>
> https://wiki.archlinux.org/index.php/Chromium/Tips_and_tricks#Adding_CAcert_certificates_for_self-signed_certificates
> http://blog.xelnor.net/firefox-systemcerts/
>
> https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md
>
> And in particular, http://superuser.com/a/719047/73086
>
> However, things still don't work, and running the openssl command as
> recommended in the last link doesn't give me the expected "verify return
> code" of 0 (ok). Instead, it's 21 (unable to verify the first certificate).
>
> This is all way over my head. I have some more reading to do. Once I do
> figure it out, I think I will suggest having the NixOS module take care of
> whatever steps are necessary to fix this, assuming it can be done in a
> reproducible manner.
>
> On Fri, Feb 19, 2016 at 11:42 AM zimbatm <zimbatm at zimbatm.com> wrote:
>
>> Found this which might be useful to you:
>> http://mindref.blogspot.co.uk/2011/02/nssdb-add-ca-certificate.html
>>
>>
>> On Fri, 19 Feb 2016 at 17:36 zimbatm <zimbatm at zimbatm.com> wrote:
>>
>>> curl should work just fine then. Can you paste the output of `curl -v
>>> https://yoursite.com` ?
>>>
>>> Chromium uses NSS which has another mechanism for it's PKI which I don't
>>> know. Can you confirm that your cert is also in
>>> /etc/pki/tls/certs/ca-bundle.crt ?
>>> Also do you have anything under ~/.pki ?
>>>
>>>
>>> On Fri, 19 Feb 2016 at 16:47 Adam Russell <adamlr6 at gmail.com> wrote:
>>>
>>>> The output is:
>>>>
>>>> $ echo $SSL_CERT_FILE
>>>> /etc/ssl/certs/ca-certificates.crt
>>>> $ echo $CURL_CA_BUNDLE
>>>>
>>>> $
>>>>
>>>> And yes, the certificates are in that file. Is there another step that
>>>> needs to happen for curl and Chromium to be able to use them?
>>>>
>>>> On Fri, Feb 19, 2016 at 9:26 AM zimbatm <zimbatm at zimbatm.com> wrote:
>>>>
>>>>> What is the output of `echo $SSL_CERT_FILE` and `echo $CURL_CA_BUNDLE`
>>>>> ?
>>>>> If one of those is set, look in the pointed file if you can find your
>>>>> certificate.
>>>>>
>>>>> On Fri, 19 Feb 2016 at 15:12 Adam Russell <adamlr6 at gmail.com> wrote:
>>>>>
>>>>>> Thomas, I've not used the openssl command-line tool before, and
>>>>>> looking at its documentation I'm not sure what command I would run in order
>>>>>> to test it, or what output to look for. I can tell you that curl doesn't
>>>>>> work against the domains in question, though (at least without the insecure
>>>>>> flag).
>>>>>>
>>>>>> Regardless, with or without the "comment" with the equal signs
>>>>>> separator, adding things to security.pki.certificates has no effect for me.
>>>>>> Is there a bug, or am I doing something wrong?
>>>>>>
>>>>>> On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger <tehunger at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Adam,
>>>>>>>
>>>>>>> Can you make the TLS call work with a command line tool like
>>>>>>> openssl? I'm not 100% sure but I think that Chrome might use a different
>>>>>>> set of trusted certs (based on the Mozilla ones) [1].
>>>>>>>
>>>>>>> ~
>>>>>>>
>>>>>>> [1]
>>>>>>> https://www.chromium.org/Home/chromium-security/root-ca-policy
>>>>>>>
>>>>>>> On 18 February 2016 at 13:53, Adam Russell <adamlr6 at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello Nix-Dev,
>>>>>>>>
>>>>>>>> I'm trying to understand how to install CA certificates in NixOS.
>>>>>>>>
>>>>>>>> If I visit my work's webmail in Chromium, I get an indicator that
>>>>>>>> my connection is not private. Clicking the padlock icon in the address bar,
>>>>>>>> then the "Certificate information" link in the Connection tab, going to the
>>>>>>>> "Details" tab, and clicking "Export" allows me to download a certificate.
>>>>>>>>
>>>>>>>> The text in this export is what I am supposed to put in the array
>>>>>>>> in `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
>>>>>>>> correct? Am I missing something?
>>>>>>>>
>>>>>>>> The documentation I am using is at:
>>>>>>>> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>>>>>>>>
>>>>>>>> Does the text above the equal signs have any significance
>>>>>>>> ("NixOS.org" in the example), or is it just a comment?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> -Adam
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> nix-dev mailing list
>>>>>>>> nix-dev at lists.science.uu.nl
>>>>>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>> nix-dev mailing list
>>>>>> nix-dev at lists.science.uu.nl
>>>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>>>
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160219/a43d9536/attachment-0001.html
More information about the nix-dev
mailing list