[cacerts] Feature Request: method to easily add additional certs to cabundle

[qubitrenegade]

Hello,

We use an internal CA for generating SSL certs. To enable an instance to trust SSL signed with our internal CA we generally update our /etc/ssl/certs/ca-bundle.crt with update-ca-trust.

However, since any package that include core/cacerts will use the bundled ca-bundle, any updates to the system ca-bundle will be ignored.

As a short-term work around, we've been adding our certs to the core/cabundle once it's been deployed, e.g.:

cat my_cert.pem >> $(hab pkg path core/cacerts)/ssl/cert.pem

Which works well, until cacerts is updated.

What would be really nice, is to be able to create a /hab/user/cacerts/config/user.toml and add my certs there, e.g.:

[cert]
name = "foobar.com"
data = """
-----BEGIN CERTIFICATE-----
jkljklhjkhjkhjkhkjk...
-----END CERTIFICATE-----
"""

[cert]
name = "bizbaz.com"
data = """
-----BEGIN CERTIFICATE-----
FDSafadsfadsfadsadfs
-----END CERTIFICATE-----
"""

But as cacerts is a binary package, I don't think it will honor any settings in default.toml/user.toml...?

So I'm really not sure how to approach this...

[HT154]

I think this is actually possible to accomplish with an install hook today without any rust feature development.

I need to run Habitat in an environment with an on-prem builder, custom CA certs, and no internet access. Here's what I imagine this would look like if core/cacerts implemented an install hook for patching the CA bundle:

# system CA trust is already updated
export SSL_CERT_FILE=path/to/system/trust.pem
export HAB_FEAT_INSTALL_HOOK=1
export HAB_BLDR_URL=https://bldr.me

export HAB_CORE_CACERTS_APPEND=path/to/my/ca1.pem,path/to/my/ca2.pem
# OR, potentially
export HAB_CORE_CACERTS_REPLACE=path/to/system/trust.pem

curl https://file.server.me/hab -o /tmp/hab
/tmp/hab pkg install -bf core/hab
hab pkg install core/hab-sup
hab pkg install core/hab-launcher