dns icon indicating copy to clipboard operation
dns copied to clipboard

Published 20 hours ago verified publisher icon qdm12

ca-certificates

Open nfour14 opened this issue 5 years ago • 7 comments

Hi! Just started using this image/container.

Is there a mechanism to update the ca-certificates.crt file? Seems like its updating it in /etc/ssl but not the copy in /unbound.

I know this is a bit old now and you might not be maintaining it anymore, but I figured I would ask.

nfour14 avatar Oct 31 '20 22:10 nfour14

Hi there!

I'm still maintaining it although I haven't got the time so far to do a big rewrite of it so far.

Anyway, I don't think (on my phone) the program updates anything besides the block lists, the named root and the root key from https://github.com/qdm12/files

Why would it need to update the certificates file?

Thanks for your suggestion!

qdm12 avatar Nov 01 '20 02:11 qdm12

Excellent!

In terms of the certificate files, it looks like unbound has a "tls-cert-bundle" specified, which means it is verifying the certificates of the forwarders AFAIK.

That cert bundle is ca-certificates.crt, which you are pulling in during build time it looks like: apk --update --progress -q add ca-certificates unbound libcap && \

So I would imagine when the container is built it gets the newest cert bundle.

"tls-cert-bundle" points to /unbound/ca-certificates.crt

This kind of sums it up: https://www.ctrl.blog/entry/unbound-tls-forwarding.html

The bundle has root certs that might expire, get updated, etc....so if you run "update-ca-certificates" it updates the bundle.

https://www.shocknetwork.com/2020/06/15/use-update-ca-trust-or-update-ca-certificates/

I might be 100% wrong, or maybe its not a huge deal....just figured I would ask :)

nfour14 avatar Nov 01 '20 14:11 nfour14

I wanted to add - I think when you "apk update" it takes down the newest certificate bundle to /etc/ssl/certs. I tried linking the unbound config file to /etc/ssl/certs/ca-certificate.crt and when the health check happens, unbound cannot restart due to file permissions. I might try to fix that this weekend and see if I can do something simple.

nfour14 avatar Nov 02 '20 12:11 nfour14

Don't worry, I'll do it in Go (the glue language to supervise Unbound). Either with Alpine's apk or with another way preferably (to avoid depending on Alpine too much). I should be able to do it in the coming week.

qdm12 avatar Nov 02 '20 13:11 qdm12

Thanks, that's appreciated!

nfour14 avatar Nov 02 '20 13:11 nfour14

Sorry for the long delay! I had a look into it this morning, and it looks rather complicated to update in a OS agnostic way, I'm not sure where to fetch it from except using Alpine's builtin apk 😕 I'll have another look soon.

qdm12 avatar Jan 02 '21 20:01 qdm12

Asked on Reddit here.

Also found curl.se/docs/caextract.html which seems to be an extract of Mozilla CA certificates.

It might have to be transformed to be in the same form as it is on Alpine with

docker run -it --rm alpine:3.13
apk add ca-certificates
ls /etc/ssl/certs

I'll investigate more in the coming days, thanks for your patience.

qdm12 avatar Apr 11 '21 22:04 qdm12