trusted_ca_certificates puts certificate in 'conventional location' which is not used

[sharms]

Summary

trusted_certs has been depreciated in favor of trusted_ca_certificates, however the certificates are now put in /var/vcap/data/rep/trusted_certs and are ignored by buildpacks and openssl. This can be configured on the rootfs options, but trusted_ca_certificates functionally isn't of value.

Expected Result

Certificates specified in trusted_ca_certificates are used as trusted ca certificates

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/154364290

The labels on this github issue will be updated when the story is started.

[emalm]

Hi, @sharms,

That /var/vcap/data/rep/trusted_certs location is bind-mounted to the app instance containers on the cell at the location specified by the TrustedSystemCertificatesPath field, which in a CF context is always /etc/cf-system-certificates. Recent versions of Diego also export this location into the container environment in the $CF_SYSTEM_CERT_PATH variable.

I agree that this level of installation is suboptimal for buildpack-app containers based on cflinuxfs2, since in that case the Linux distribution is known in advance to be Ubuntu and so the rootfs setup job can install extra certs, but for supplying these same CA certs to Docker-image-based apps with filesystems based on arbitrary Linux distributions (CentOS, SUSE, or even just an /etc/passwd file and a /root directory) or to Windows app instances it has seemed like the only reasonable option.

Thanks,
Eric, CF Diego PM

[emalm]

Updated https://docs.cloudfoundry.org/running/trusted-system-certificates.html with information about configuring containers.trusted_ca_certificates in cloudfoundry/docs-running-cf#51, so closing this out this issue.

[qwertycody]

emalm, I've tested this and it would seem that this property is ignored on my application.yml file during the cf-push.

[emalm]

@qwertycody This is a setting relevant for the BOSH manifest that deploys the Diego cell rep as a CF components, not a setting for per-app configuration via its CF manifest. If you need to supply additional CA certificates for your application to trust, maybe it would work for you to do so via other configuration mechanisms for CF apps, such as environment variables or a user-provided service instance? If that's not sufficient, I'd be interested to hear why.

Thanks,
Eric

[qwertycody]

Well, to be quite honest, I'm not entirely sure that .NET Core would support something that based on my initial research. I definitely could have missed something.

`applications:

• name: Best App Ever
  memory: 1G
  instances: 1
  buildpack: dotnet_core_buildpack
  stack: cflinuxfs2
  env:
  CACHE_NUGET_PACKAGES: false
  ASPNETCORE_ENVIRONMENT: Development
  path: ViewController/bin/Debug/netcoreapp2.0/publish
  services:
• service-registry
• config-server
• sso
  properties:
  cflinuxfs2-rootfs:
  trusted_certs:
• |
  -----BEGIN CERTIFICATE-----
  MIIGlzCCBX+gAwIBAgIKUP73nAAAAAHEyjANBgkqhkiG9w0BAQUFADBnMRMwEQYK
  CZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZPyLGQBGRYCZ20xFDASBgoJkiaJk/Is
  ZAEZFgRjb3JwMSYwJAYDVQQDEx1HTSBJbmZyYXN0cnVjdHVyZSBJc3N1aW5nIENB
  MjAeFw0xNTEwMjMxNjA5MDFaFw0xODEwMjIxNjA5MDFaMAAwggEiMA0GCSqGSIb3
  DQEBAQUAA4IBDwAwggEKAoIB
  -----END CERTIFICATE--------- `

[emalm]

@qwertycody Would you mind reformatting that app manifest with a triple-backtick fenced code block? It's difficult to tell the YAML structure as is.

[qwertycody]

@emalm, wanted to follow up and let you guys know I ended up finding the solution for this.

As you mentioned, the above solution is not for an APP but for a cell. The below code is how I solved the problem. Turns out the LDAP Library I was using implements a common SSLValidationHandler and I wrote a method to do this validation in the app.

public static bool ManualSslVerification(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            try
            {
                //Testing to see if the Certificate and Chain build properly, aka no forgery.
                chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
                chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
                chain.Build(new X509Certificate2(certificate));

                //Looking to see if there are no errors in the build that we don't like
                foreach (X509ChainStatus status in chain.ChainStatus)
                {
                    if (status.Status == X509ChainStatusFlags.NoError || status.Status == X509ChainStatusFlags.UntrustedRoot)
                    {
                        //Acceptable Status, We want to know if it builds properly.
                    }
                    else
                    {
                        return false;
                    }
                }

                X509Certificate2 trustedRootCertificateAuthority = new X509Certificate2(ViewController.Properties.Resources.My_Root_CA);

                //Now that we have tested to see if the cert builds properly, we now will check if the thumbprint of the root ca matches our trusted one
                if(chain.ChainElements[chain.ChainElements.Count - 1].Certificate.Thumbprint != trustedRootCertificateAuthority.Thumbprint)
                {
                    return false;
                }

                //Once we have verified the thumbprint the last fun check we can do is to build the chain and then see if the remote cert builds properly with it
                //Testing to see if the Certificate and Chain build properly, aka no forgery.
                X509Chain trustedChain = new X509Chain();
                trustedChain.ChainPolicy.ExtraStore.Add(trustedRootCertificateAuthority);
                trustedChain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
                trustedChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
                trustedChain.Build(new X509Certificate2(certificate));

                //Looking to see if there are no errors in the build that we don't like
                foreach (X509ChainStatus status in trustedChain.ChainStatus)
                {
                    if(status.Status == X509ChainStatusFlags.NoError || status.Status == X509ChainStatusFlags.UntrustedRoot)
                    {
                        //Acceptable Status, We want to know if it builds properly.
                    }
                    else
                    {
                        return false;
                    }
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
                return false;
            }

            return true;
        }