httpclient icon indicating copy to clipboard operation
httpclient copied to clipboard

Published 20 hours ago verified publisher icon nahi

Updating cacert with new one from https://curl.se/docs/caextract.html

Open xaf opened this issue 4 years ago • 7 comments
trafficstars

image

^ To update the store that hasn't been updated in a while, and that are not containing the new Let's Encrypt root certs This only updates cacert.pem though as I'm not sure what the cacert1024.pem entails

xaf avatar Sep 30 '21 15:09 xaf

the DST Root CA X3 cert should be removed as well per https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

cmcculler avatar Sep 30 '21 15:09 cmcculler

Just took the last update from https://curl.se/docs/caextract.html I'd prefer avoiding to touch the file content myself, knowing that DST Root CA X3 is expired anyway :)

xaf avatar Sep 30 '21 15:09 xaf

+1 for the problem, but manually patching in the proposed cacert.pem into the gem doesn't seem to resolve the certificate verify failed issues for Lets Encrypt certificates, so not sure it works?

jamesyale avatar Sep 30 '21 17:09 jamesyale

@nahi: Can you please take a look?

FraDim avatar Sep 30 '21 17:09 FraDim

+1 for the problem, but manually patching in the proposed cacert.pem into the gem doesn't seem to resolve the certificate verify failed issues for Lets Encrypt certificates, so not sure it works?

This PR has been tested and succeeded in solving the problem for cases of using that library. A number of other systems hardcoding cacert.pem have been affected though. Long term solution should be not to hardcode those anymore, and use the ones from the system!

xaf avatar Sep 30 '21 18:09 xaf

Long term solution should be not to hardcode those anymore, and use the ones from the system!

As far as this gem, then, as a step in that direction, would it sense to have a PR so it could be configured globally to use system certs vs bundled certs? I think right now it requires a "monkey-patch" to configure this globally in httpclient?

jrochkind avatar Sep 30 '21 18:09 jrochkind

Long term solution should be not to hardcode those anymore, and use the ones from the system!

As far as this gem, then, as a step in that direction, would it sense to have a PR so it could be configured globally to use system certs vs bundled certs? I think right now it requires a "monkey-patch" to configure this globally in httpclient?

Monkey patch wise we just worked round this in production using this (https://github.com/livelink/httpclient/commit/c1b97a7567e75c31c99fb502b10bfb975d921196#diff-2a6765023b9beb8295399d5c04286045360ce90aabfffead2dba5c2c3ef71173) - it uses the system CA certs rather than the bundled files, so as long as your system is up to date, it just works ™️

Might be useful to anyone seeing this right now until a proper patch is released :)

jamesyale avatar Sep 30 '21 19:09 jamesyale