[feat] Provide way to override root certs used for federation #585

New issue

Open

opened 2023-07-09 19:06:39 +00:00 by Gaelan · 6 comments

Gaelan commented 2023-07-09 19:06:39 +00:00

Copy link

The idea

Provide a way to specify a root certificate that is always considered valid when making HTTPS requests to other instances.

The reasoning

I'm working on a (yet unpublished, but I intend to soon) tool for running a bunch of fedi instances locally for testing. Everything's running locally, so we can't use real Let's Encrypt certs; instead, I use a locally-generated self-signed CA. Naturally, for Akkoma to federate successfully, it needs to trust that CA.

Putting this in config.exs currently works in my setup:

    config :pleroma, :http, adapter: [pools: %{default: [conn_opts: [transport_opts: [cacertfile: "path/to/rootCA.pem"]]]}]

But only because I'm running on macOS without security on the PATH, so Erlang's :public_key.cacerts_get() fails. If it didn't (and there isn't as easy a way to engineer such a failure on Linux, which I'd like to support), Akkoma (http_children in lib/pleroma/application.ex, which calls maybe_add_cacerts in lib/pleroma/http/adapter_helper.ex) would replace my configuration with the discovered system certs, with no way to disable this behavior that I can see.

Other alternatives considered:

• Configure Akkoma to use an unencrypted HTTP proxy (which is in turn considered to accept my CA) to access other instances: doable, but more moving parts. Also mildly annoying that Akkoma doesn't support (as far as I can see) connecting to an HTTP proxy over a Unix socket, so I need to juggle port numbers.
• Patch Akkoma on my end to replace the root-finding logic. Again doable, but more of a pain, especially as I'd like to support a wide range of Akkoma versions (although I'm not sure how much churn there is in this part of the code in practice).

Have you searched for this feature request?

• I have double-checked and have not found this feature request mentioned anywhere.
• This feature is related to the Akkoma backend specifically, and not pleroma-fe.

### The idea Provide a way to specify a root certificate that is always considered valid when making HTTPS requests to other instances. ### The reasoning I'm working on a (yet unpublished, but I intend to soon) tool for running a bunch of fedi instances locally for testing. Everything's running locally, so we can't use real Let's Encrypt certs; instead, I use a locally-generated self-signed CA. Naturally, for Akkoma to federate successfully, it needs to trust that CA. Putting this in `config.exs` currently works in my setup: ``` config :pleroma, :http, adapter: [pools: %{default: [conn_opts: [transport_opts: [cacertfile: "path/to/rootCA.pem"]]]}] ``` But only because I'm running on macOS without `security` on the PATH, so Erlang's `:public_key.cacerts_get()` fails. If it didn't (and there isn't as easy a way to engineer such a failure on Linux, which I'd like to support), Akkoma (`http_children` in `lib/pleroma/application.ex`, which calls `maybe_add_cacerts` in `lib/pleroma/http/adapter_helper.ex`) would replace my configuration with the discovered system certs, with no way to disable this behavior that I can see. Other alternatives considered: * Configure Akkoma to use an unencrypted HTTP proxy (which is in turn considered to accept my CA) to access other instances: doable, but more moving parts. Also mildly annoying that Akkoma doesn't support (as far as I can see) connecting to an HTTP proxy over a Unix socket, so I need to juggle port numbers. * Patch Akkoma on my end to replace the root-finding logic. Again doable, but more of a pain, especially as I'd like to support a wide range of Akkoma versions (although I'm not sure how much churn there is in this part of the code in practice). ### Have you searched for this feature request? - [x] I have double-checked and have not found this feature request mentioned anywhere. - [x] This feature is related to the Akkoma backend specifically, and not pleroma-fe.

Gaelan added the

feature request

label 2023-07-09 19:06:39 +00:00

floatingghost commented 2023-07-10 10:24:22 +00:00

Owner

Copy link

https://docs.akkoma.dev/stable/development/setting_up_akkoma_dev/#testing-with-https may be of use to you

https://docs.akkoma.dev/stable/development/setting_up_akkoma_dev/#testing-with-https may be of use to you

Gaelan commented 2023-07-10 15:28:52 +00:00

Author

Copy link

Ah nice, thanks - sorry I missed that!

Given that I have everything using the same root, it'd be marginally more elegant to just have Akkoma trust this root instead of disabling security checks altogether. But this is plenty good enough, given we're in development and nothing's externally accessible.

Ah nice, thanks - sorry I missed that! Given that I have everything using the same root, it'd be marginally more elegant to just have Akkoma trust this root instead of disabling security checks altogether. But this is plenty good enough, given we're in development and nothing's externally accessible.

XxXCertifiedForkliftDriverXxX commented 2023-07-11 06:17:03 +00:00

Contributor

Copy link

Hey there!

As a certified forklift driver, I understand the importance of trust and safety in any operation. If you're looking to trust a custom root certificate for HTTPS testing, I recommend installing it into your operating system's certificate store. This will ensure that your system recognizes and validates the certificate properly.

Now, here's the exciting part: Caddy, the trusty forklift of web servers, can actually handle this process for you automatically! It has a built-in feature that allows it to manage custom root certificates with ease. This means you can focus on your testing without worrying about the technicalities. Caddy will handle the management for you, just like a certified forklift driver expertly navigates through a warehouse.

To provide you with more context, #573 shows the significant milestone when Akkoma began reading the OS CA store, enabling seamless integration with custom root certificates.

By leveraging this feature, you can trust your custom root certificate for HTTPS testing without worrying about the technical complexities.

So, go ahead and let Caddy take the wheel, just like a certified forklift driver would. Trust me, you'll be in good hands!

Stay safe and happy testing!

Certified Forklift Driver

Hey there! As a certified forklift driver, I understand the importance of trust and safety in any operation. If you're looking to trust a custom root certificate for HTTPS testing, I recommend installing it into your operating system's certificate store. This will ensure that your system recognizes and validates the certificate properly. Now, here's the exciting part: Caddy, the trusty forklift of web servers, can actually handle this process for you automatically! It has a built-in feature that allows it to manage custom root certificates with ease. This means you can focus on your testing without worrying about the technicalities. Caddy will handle the management for you, just like a certified forklift driver expertly navigates through a warehouse. To provide you with more context, https://akkoma.dev/AkkomaGang/akkoma/pulls/573 shows the significant milestone when Akkoma began reading the OS CA store, enabling seamless integration with custom root certificates. By leveraging this feature, you can trust your custom root certificate for HTTPS testing without worrying about the technical complexities. So, go ahead and let Caddy take the wheel, just like a certified forklift driver would. Trust me, you'll be in good hands! Stay safe and happy testing! Certified Forklift Driver

Gaelan commented 2023-07-12 00:52:01 +00:00

Author

Copy link

Thanks! System the system root store is definitely a good default, and it's good that Akkoma supports it, but it'd still be nice to have an option to override it.

My tool does support adding its root to the system store (using mkcert, not Caddy, but the principle is the same), as this makes access from a browser slightly more convenient, but it's optional. My goal for my tool is to minimize dependence and impact on the system configuration - I'm trying to avoid contributing to, and work even in the presence of, an https://xkcd.com/1987/ situation.

Thanks! System the system root store is definitely a good default, and it's good that Akkoma supports it, but it'd still be nice to have an option to override it. My tool does support adding its root to the system store (using mkcert, not Caddy, but the principle is the same), as this makes access from a browser slightly more convenient, but it's optional. My goal for my tool is to minimize dependence and impact on the system configuration - I'm trying to avoid contributing to, and work even in the presence of, an https://xkcd.com/1987/ situation.

helene commented 2023-07-14 09:45:03 +00:00

Copy link

I run macOS but I'm not sure what your issue is. Could you give more details on how replicate or what the issue is?

If you are doing local development, disabling SSL verification or installing a localhost + *.localhost CA sounds fine to me, but I feel like I'm not understanding the issue here.

I run macOS but I'm not sure what your issue is. Could you give more details on how replicate or what the issue is? If you are doing local development, disabling SSL verification or installing a `localhost` + `*.localhost` CA sounds fine to me, but I feel like I'm not understanding the issue here.

Gaelan commented 2023-07-30 02:41:53 +00:00

Author

Copy link

For context, I've now released the tool I'm working on, minifedi.

If you are doing local development, disabling SSL verification or installing a localhost + *.localhost CA sounds fine to me, but I feel like I'm not understanding the issue here.

The issue with installing a localhost CA to the system-wide store is that minifedi tries to change the user's configuration as little as possible; I'd much prefer being able to provide a CA to Akkoma without affecting system configuration. It's almost possible to do this with Akkoma now, but only if Akkoma can't find the system root store; if it can, it unconditionally overrides anything provided in config.exs.

Disabling SSL verification is what we do now, and although it feels a little inelegant (we have a CA! we could just trust it! we don't need to disable validation entirely!) it's plenty good enough, and I'm happy to close this if y'all don't feel it's worth the trouble.

For context, I've now released the tool I'm working on, [minifedi](https://github.com/gaelan/minifedi). > If you are doing local development, disabling SSL verification or installing a localhost + *.localhost CA sounds fine to me, but I feel like I'm not understanding the issue here. The issue with installing a localhost CA to the system-wide store is that minifedi tries to change the user's configuration as little as possible; I'd much prefer being able to provide a CA to Akkoma without affecting system configuration. It's *almost* possible to do this with Akkoma now, but only if Akkoma can't find the system root store; if it can, it unconditionally overrides anything provided in `config.exs`. Disabling SSL verification is what we do now, and although it feels a little inelegant (we have a CA! we could just trust it! we don't need to disable validation entirely!) it's plenty good enough, and I'm happy to close this if y'all don't feel it's worth the trouble.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

translations

customizable-docker-db

stable

static-adminfe

bad-uploader-config-warning

docker

user-expiry-backfill

config-db-keys

ensure-scrubbers-loaded

otp26

code-shaking-does-not-go-brr

elixir1.15

circleci

backup-fixes

mod-task

policy

mrf-coolness

frontend-switcher-9000

contentMap

language-on-posts

rabbit

credo-on-pr

unify-http

normalise-markup-by-default

buildx

v3.13.2

v2.6.3

v3.13.1

v3.13.0

snac-3.12.1.2

v3.12.2

snac-3.12.1.1

v3.12.1

v3.12.0

v3.11.0

v2.6.2

v2.6.1

2.6.1

v2.6.0

v2.5.5

v3.10.4

v3.10.3

v3.10.2

v3.10.1

v3.10.0

v2.5.4

v2.5.3

v3.9.3

v3.9.2

v3.9.1

V3.9.0

2023.05

v3.8.0

v3.7.1

v3.7.0

v3.6.0

v3.5.0

v2.4.5

v3.4.0

v3.3.1

v2.4.4

v3.3.0

v3.2.3

v3.2.2

v3.2.1

stable-202209

v3.2.0

v3.1.0

stable-2022.07

v3.0.0

v0.0.1

v2.5.2-6

v2.5.2-5

v2.5.2-4

v2.5.2-3

v2.5.2-2

v2.5.2-1

v2.5.2

v2.5.1

v2.5.0-8

v2.5.0-7

v2.5.0-6

v2.5.0-5

v2.5.0-4

v2.5.0-3

v2.5.0-2

v2.5.0-1

v2.5.0

v2.4.3

pre-rebase

v2.4.2

v2.4.1

v2.4.0

soapbox-v1.1.1

soapbox-v1.1.0

soapbox-v1.0.0

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.1.9

v1.1.8

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.91

v1.0.90

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.9.0

Labels

Clear labels   

approved, awaiting change

  

bug

Something is not working

  

configuration

This requires config changes

  

documentation

This is about human-readable docs

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

extremely low priority

  

feature request

Something new?

  

Fix it yourself

Support has been attempted

  

help wanted

Need some help

  

invalid

Something is wrong

  

mastodon_api

  

needs docs

  

needs tests

  

not a bug

  

planned

  

pleroma_api

  

privacy

  

question

More information is needed

  

static_fe

  

triage

  

wontfix

This won't be fixed

No labels

approved, awaiting change

bug

configuration

documentation

duplicate

enhancement

extremely low priority

feature request

Fix it yourself

help wanted

invalid

mastodon_api

needs docs

needs tests

not a bug

planned

pleroma_api

privacy

question

static_fe

triage

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

4 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#585

No description provided.