openssl: generate cacert.pem from system and user CA

[MilhouseVH]

This should allow users to append their own self-signed CA.

https://forum.libreelec.tv/thread/12789-adding-own-certs-to-connect-via-webdavs-sftp-again

[lrusak]

The implementation looks fine. I'm just worried about the security now that anyone with access to the system can now insert their cert into the chain, perhaps for nefarious reasons.

[MilhouseVH]

Yes, I guess that is a possibility, and not one to which I have a solution. Given the design of the entire root-only system, this is just one more potential issue for the list...

[chewitt]

It's possible (but not as elegant) to bind-mount a custom cert (as proved by @vpeter4 in the forums) so restricting the cert to be in the read-only filesystem area doesn't afford greater security. Plus, if an actor with bad intentions has compromised an LE installation there are much more interesting things that can be done and malicious tweaking of an SSL cert chain is the least of your worries.

[MilhouseVH]

The problem with the bind mount solution (and indeed any solution that replaces the system provided CA bundle with a complete alternative bundle) is that as the system installed bundle is updated with new CA certs over time, the user with the bind mounted CA bundle will not see these new CA changes - they will complain when public sites slowly become inaccessible due to expired/revoked CAs in their increasingly stale custom CA bundle.

They'll almost certainly neglect to inform us they are using a bind mounted custom CA bundle when reporting some weird TLS issue that nobody else is able to reproduce, because they themselves will have forgotten they set it up months previously (it's easily done, been there/done it myself...)

[vpeter4]

One other option is to leave /etc/ssl/cacert.pem as readonly. Instead users put it's own certs in some folder at /storage and use --with-ca-path pointing there.
But here proposed solution just works.

[JohnPlayerSpecial2018]

I can confirm: it's working with my webdavs connection now!

[vpeter4]

From Milhouse build #715, 15-Jul-2018:

09:24:40.448 T:139639067313920   ERROR: ## LibreELEC Addon ## oe::load_url(https://update.libreelec.tv/updates.php?i=ea1220f3a82e419b9941c4d8ec199552&d=LibreELEC&pa=Generic.x86_64&v=%230715&f=vmwgfx&b=Milhouse) ## ERROR: (URLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),))
09:24:40.448 T:139639067313920   ERROR: Traceback (most recent call last):
                                              File "/home/neil/projects/LibreELEC.tv/build.LibreELEC-Generic.x86_64-9.0-devel/LibreELEC-settings-659afa8/.install_pkg/usr/share/kodi/addons/service.libreelec.settings/oe.py", line 273, in load_url
                                              File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
                                              File "/usr/lib/python2.7/urllib2.py", line 429, in open
                                              File "/usr/lib/python2.7/urllib2.py", line 447, in _open
                                              File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
                                              File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
                                              File "/usr/lib/python2.7/urllib2.py", line 1198, in do_open
                                            URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)>
09:24:40.448 T:139639067313920   ERROR: ## LibreELEC Addon ## system::check_updates_v2 ## ERROR: (TypeError('expected string or buffer',))
09:24:40.448 T:139639067313920   ERROR: Traceback (most recent call last):
                                              File "/home/neil/projects/LibreELEC.tv/build.LibreELEC-Generic.x86_64-9.0-devel/LibreELEC-settings-659afa8/.install_pkg/usr/share/kodi/addons/service.libreelec.settings/resources/lib/modules/system.py", line 856, in check_updates_v2
                                              File "/usr/lib/python2.7/json/__init__.py", line 339, in loads
                                              File "/usr/lib/python2.7/json/decoder.py", line 364, in decode
                                            TypeError: expected string or buffer

I assume changing path /etc/ssl/cert.pem was bad idea and would need to change in every other package?

From strace I see that Python is expecting file /etc/ssl/cert.pem. I assume because this is default path used by openssl in file crypto/cryptlib.h. That's why I was wondering about renaming file and also moving location.

I would just leave this file as was before. There is no point of changing every other package if this is default file name. So change back cacert.pem to cert.pem in /etc/ssl. Just made a test and it is working as it should. Also with custom cacert.

[MilhouseVH]

Curiously, I get the same error as you on a NUC, but not on an RPi or RPi2 build.

Some parts of openssl refer to cacert.pem, while other parts refer to cert.pem. I think I'll just add a cert.pem sym link to /run/libreelec/cacert.pem and be done with it! Adding the sym link fixes the NUC.

[vpeter4]

I think cacert.pem is filename used when making self signed certificates and there is no need to put it there. That's why change in openssl.cnf was not needed either.

I think with another file we will just have a mess. Only because the problem is not understand fully.

[MilhouseVH]

I wouldn't call adding a second file a mess, but there are parts of OpenSSL which default to cacert.pem, and other parts which default to cert.pem, so it's OpenSSL that seems to be a bit of a mess!

While we could switch back to using cert.pem only, adding a second sym link resolves both issues. The need for cacert.pem is very likely a corner case, but it's configured correctly now so I'd like to keep it. This doesn't look like too much of a mess:

NUC:~ # ls -la /etc/ssl
total 262
drwxrwxr-x    2 root     root            93 Jul 16 09:59 .
drwxrwxr-x   23 root     root          1030 Jul 16 10:07 ..
lrwxrwxrwx    1 root     root            25 Jul 16 09:59 cacert.pem -> /run/libreelec/cacert.pem
-rw-rw-r--    1 root     root        256008 Jul 16 09:59 cacert.pem.system
lrwxrwxrwx    1 root     root            25 Jul 16 09:59 cert.pem -> /run/libreelec/cacert.pem
-rw-r--r--    1 root     root         10835 Jul 16 09:59 openssl.cnf

[vpeter4]

I don't see a need to /etc/ssl/cacert.pem when grepping openssl.
But ok, it compiles and works so it is good :)

Now I see that change in curl is also not needed anymore.