OSX: Pull certs from Keychain

[docwhat]

On OSX the authoritative source of certificates is the Keychain.

You can pull them out with:

security find-certificate -a -p /Library/Keychains/System.keychain
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain

You can see how Homebrew deals with certificates by looking at the openssl formula.

Currently, you can work around this by symlinking the Homebrew cert.pem into ChefDK's embedded directory.

sudo ln -nsf /usr/local/etc/openssl/cert.pem /opt/chefdk/embedded/ssl/certs/cacert.pem

It'd be nice if this "Just Worked" out of the box.

PS: I imagine most of the other systems where you ship with your own OpenSSL also have this problem (e.g. windows).

[danielsdeleo]

Just wondering, is there a specific problem you're experiencing? E.g., you have a custom CA at your organization which everyone configures in their keychains?

Sadly, the "real" OpenSSL/OS X integration only exists as a patch that Apple applies to OpenSSL and either didn't submit upstream or hasn't been merged. The same is true on Windows, integration with the Windows certificate store was contributed to OpenSSL but was not merged (I don't know the reason for that). In order to really do the right thing, we want to constantly be using the updated CRLs that you get in OS updates from your vendor (and also replacements for expired certificates, etc.). The problem with Homebrew's approach (our current approach of bundling Mozilla's CA bundle has the same issue) is that you need to be periodically checking for CRL updates or else you can be vulnerable to stolen certs. But that requires us to install a cronjob or something which seems a bit invasive.

[docwhat]

It is because we have an in house CA cert.

What would really solve this is if Ruby used apple's own SSL library instead of OpenSSL. I imagine windows has something similar.

Homebrew has c_rehash to update the certs and CRLs. Can you piggy back off that?

[danielsdeleo]

AFAIK, c_rehash just combines a bunch of root CA certs into a bundle, you need to re-run the security find-certificate steps to update certificates and CRLs, but you should probably be doing it periodically for maximum security/correctness. This is also required in order to pick up changes you make in your keychain. But that implies me installing a cronjob on your system.

As for Ruby using Apple's OpenSSL, it's too old, at least on some of the versions of OS X we (intend to) support. I know Apple has a different SSL library, but adding support for that in ruby isn't something we (Chef engineering) could really do.

[docwhat]

I didn't mean apple's OpenSSL. It's junk. I meant the new stuff.

Huh. I'll have to double check. I thought c_rehash did the CRLs too.

[danielsdeleo]

I'm tempted to close this unless we can come up with a way to non-intrusively (i.e., no cron jobs) pull down certs from the host OS and keep things updated. Did you get anywhere with your research?

[docwhat]

Yeah. But you should document the environment variable to override the default CAs.

[danielsdeleo]

Docs added here: http://docs.chef.io/chef_client_security.html#ssl-cert-file

[docwhat]

👍