Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not compatible with FreeBSD #1

Closed
Cubox opened this issue Sep 12, 2019 · 19 comments · Fixed by #7 or caddyserver/caddy#4453
Closed

Not compatible with FreeBSD #1

Cubox opened this issue Sep 12, 2019 · 19 comments · Fixed by #7 or caddyserver/caddy#4453
Labels
enhancement New feature or request

Comments

@Cubox
Copy link

Cubox commented Sep 12, 2019

There is no code to handle FreeBSD.

FreeBSD stores certificates in /usr/local/etc/ssl.
The port security/p11-kit provides the trust utility

@maraino
Copy link
Collaborator

maraino commented Sep 12, 2019

@Cubox- Thanks for filling the issue, if you want to provide a PR I'll merge it, and integrate it into step.

@Cubox
Copy link
Author

Cubox commented Sep 12, 2019

Will try. In the meantime, are those functions being used for anything outside of the cli command truststore?
Would having the functions do nothing and letting the whole thing compile work?

@maraino
Copy link
Collaborator

maraino commented Sep 13, 2019

We're only using it for step certificate install, as a first pass having the functions returning a non implemented error would be ok.

@maraino
Copy link
Collaborator

maraino commented Sep 13, 2019

You can try that with this build constraint

// +build !linux,!darwin,!windows

That will make it work for other OS too.

@maraino
Copy link
Collaborator

maraino commented Sep 13, 2019

@Cubox- I've just committed a file that will make the compilation possible
https://github.com/smallstep/truststore/blob/master/truststore_others.go

FreeBSD support is still pending, so I'll keep this issue open

@sourishkrout sourishkrout added the enhancement New feature or request label Sep 24, 2019
@mholt
Copy link

mholt commented Apr 9, 2020

@Cubox- Is this still something you're working on? We (the Caddy project) have started seeing requests for this too and we think it'd be a great contribution 😃

@Cubox
Copy link
Author

Cubox commented Apr 9, 2020

@mholt no sorry

@mholt
Copy link

mholt commented Apr 9, 2020

That's alright, just wanted to check in! 👌

@basilhendroff
Copy link

'Trust store unsupported' Issue surfaces in the FreeBSD port of step-ca smallstep/certificates#572 and the Caddy internal CA (based on the Smallstep libraries) https://caddy.community/t/unresolved-mtls-under-freebsd/12364

@maraino maraino added the needs triage Issue needs triage label May 18, 2021
@maraino
Copy link
Collaborator

maraino commented May 18, 2021

This was totally lost, added to the triage meeting.

@basilhendroff
Copy link

basilhendroff commented May 21, 2021

I have some info that may be useful. This is in relation to the Caddy internal CA, but will probably be relevant to the Smallstep CA as well. Full details in this Caddy forum post forward https://caddy.community/t/mtls-under-freebsd-is-now-working/12364/47. TLDR the short version...

This is what I was seeing in the Caddy console log:

{"level":"warn","ts":"2021-05-10T21:41:57.225+0800","logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
2021/05/10 21:41:57 Note: NSS support is not available on your platform
2021/05/10 21:41:57 define JAVA_HOME environment variable to use the Java trust
{"level":"error","ts":"2021-05-10T21:41:57.226+0800","logger":"pki.ca.local","msg":"failed to install root certificate","error":"trust not supported","certificate_file":"storage:pki/authorities/local/root.crt"}

I then executed the following command....

root@caddy:~ # cat /.local/share/caddy/pki/authorities/local/root.crt >> /usr/local/share/certs/ca-root-nss.crt

Restarting Caddy, the internal CA now works. The console log shows the following...

{"level":"info","ts":"2021-05-20T13:13:20.993+0800","logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}

Don't get too excited though. The 'solution' is semi-permanent at best. The internal CA breaks if the ca_root_nss package on FreeBSD is updated. To fix it, it’s necessary to append root.crt to ca-root-nss.crt again. For reasons described in the bug report Bug 160387 - security/ca_root_nss: Allow user to trust extra local certificates, a permanent solution is unlikely to be forthcoming.

A second issue to contend with is the location of root.crt. It will depend on how Caddy is started and appears to be tied to the HOME environmental variable. More details in the above linked Caddy forum thread.

@dopey dopey removed the needs triage Issue needs triage label May 25, 2021
@francislavoie
Copy link
Contributor

@basilhendroff Digging a bit more in FreeBSD bug tickets, there was apparently a certctl tool added which seems to support managing root certs in the trust store (also supporting a blacklist for example). It seems like putting the smallstep root cert into a particular location then running certctl rehash might do it? Could you look into this? See https://www.freebsd.org/cgi/man.cgi?query=certctl&apropos=0&sektion=0&manpath=FreeBSD+11.4-stable&arch=default&format=html

Also an interesting development, Go made a change regarding the location of the trust store a few days ago which should land in the next version of Go, i.e. version 1.17: golang/go#46284. This might also help. I guess this is all meant to land in FreeBSD 12.2?

I don't follow FreeBSD progress, so you may understand this better, but I'm hoping this might help push this in the right direction.

@basilhendroff
Copy link

basilhendroff commented May 30, 2021

@francislavoie My reading is that the certctl utility manages the list of TLS Certificate Authorities that are trusted by applications that use OpenSSL. I think it replaces what I tried in this Caddy forum post with the openssl rehash command.

As I understand it, Caddy doesn’t currently use OpenSSL - it uses the implementation of crypto from the Go standard library. With the proposed Go change, my interpretation is that Go intends to support OpenSSL. If you follow the link golang/go#46284., it does reference certctl. If that be the case, there is a mechanism to reliably add extra certificates using certctl.

@francislavoie
Copy link
Contributor

francislavoie commented May 30, 2021

With the proposed Go change, my interpretation is that Go intends to support OpenSSL.

Not quite, it just adds another file location from which it would load trust (this new one being preferred first if it exists). Still uses Go's crypto implementation.

The change is merged in Go, and will be released in Go 1.17 (and Caddy would just need to be built using that version of Go to get it to work). Actually, you might be able to build Caddy with a nightly/prerelease version of Go, to test out that Caddy reads trust from that new location.

@basilhendroff
Copy link

basilhendroff commented Nov 21, 2021

Okay, it appears we now have a way forward. certctl is a new certificate manager for FreeBSD 12.2 and later versions. It's unlikely this will be backported to earlier FreeBSD versions, which still rely on the method described in the OP. High-level steps:

  1. Check for FreeBSD 12.2 or later.
  2. Add the cert to TRUSTPATH (details in the certctl manual. I tested with /usr/local/etc/ssl/certs as this path doesn't appear to exist by default).
  3. Run certctl rehash. Symbolic links to trusted certs are placed in the trust store at CERTDESTDIR (/etc/ssl/cert).

Detailed testing to confirm that this approach works can be viewed here.

@maraino
Copy link
Collaborator

maraino commented Nov 22, 2021

@basilhendroff If you can send us a PR defining this for FreeBSD, I'll merge it

var (
// NSSProfile is the path of the Firefox profiles.
NSSProfile = ""
// CertutilInstallHelp is the command to add NSS support.
CertutilInstallHelp = ""
)
func installPlatform(filename string, cert *x509.Certificate) error {
return ErrTrustNotSupported
}
func uninstallPlatform(filename string, cert *x509.Certificate) error {
return ErrTrustNotSupported
}

@basilhendroff
Copy link

basilhendroff commented Nov 23, 2021

@maraino Unfortunately, I'm not a developer so I'm unable to take this further. I've sounded out the TrueNAS community in the thread Calling on Go developers... for a Go developer with FreeBSD expertise to help bring some closure to this issue.

EDIT: I've cast the net further afield to the FreeBSD community Calling Go developers...

@basilhendroff
Copy link

A HUGE thank you to @qiu3344 from the FreeBSD community for responding to the plea for a Go developer to help resolve the FreeBSD trust store issue within SmallStep. @qiu3344 stepped up to the plate and unselfishly contributed their expertise and time to bring closure to this issue, Around 100 lines of Go code were added in a pull request. The fix should find its way in a future release of SmallStep and Caddy. Anybody who uses these products on FreeBSD, and its derivatives such as TrueNAS, for private PKI certificate lifecycle management, owes @qiu3344 a debt of gratitude for their contribution in making these products fully functional on more recent FreeBSD versions.

maraino added a commit that referenced this issue Nov 29, 2021
Add FreeBSD `certctl` support (Fixes #1)
@francislavoie
Copy link
Contributor

francislavoie commented Nov 29, 2021

@maraino if you could give me a heads up when the releases are tagged, that'd be greatly appreciated 😄

Edit: Thanks! caddyserver/caddy#4453

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
7 participants