setup-ssl fails on Linux

[shochdoerfer]

When trying to run the setup-ssl command on Linux it fails for the sudo security add-trusted-cert command as there's no security binary which could be called. I'd assume that's a Mac-only solution.

[markshust]

Thanks for the report, it is indeed a mac-only solution as implemented.

Can you try replacing the contents of bin/setup-ssl-ca with the following?

#!/bin/bash
docker-compose exec -u root app mkcert -install
docker cp $(docker-compose ps -q app|awk '{print $1}'):/root/.local/share/mkcert/rootCA.pem .
echo "System password requested to install certificate authority on host..."
cp rootCA.pem /usr/local/share/ca-certificates/docker-magento-ca.pem
sudo update-ca-certificates
rm rootCA.pem

Then run it bin/setup-ssl-ca and see if this adds the CA to your system? You can then run the bin/setup-ssl script again.

I don't have linux to test at the moment, but if the above works I can add that into the script.

[shochdoerfer]

The cp command also needs to be executed with sudo. Other than that, it worked fine. Not sure though about the general idea as this would overwrite the docker-magento-ca.pem each time I would run this for a new project.

[ArjanStudent]

Hi @shochdoerfer @markshust

I'm having the same issue on Ubuntu 18.04.4 LTS.

When I do the set-up as described in the README file, I always end up with a 404 in nginx and the logs say the following:

2020/02/25 09:23:15 [info] 6#6: *44 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443
2020/02/25 09:23:15 [info] 6#6: *45 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443
2020/02/25 09:23:58 [info] 6#6: *46 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443

What exactly were your steps to figure this out? @shochdoerfe

Thx in advance!

[adiled]

For Arch

#!/bin/bash
docker-compose exec -u root app mkcert -install
docker cp $(docker-compose ps -q app|awk '{print $1}'):/root/.local/share/mkcert/rootCA.pem ./rootCA.cert
echo "System password requested to install certificate authority on host..."
sudo trust anchor --store rootCA.cert
rm rootCA.cert

[markshust]

Can someone verify this line also works on Ubuntu?

sudo trust anchor --store rootCA.cert

I can update the bin/setup-ssl-ca script to detect mac/linux and run the appropriate line.

[sunilit42]

@markshust

i tried but not working

[adiled]

@markshust this is for Arch and Fedora only. Commands for Ubuntu / Debian mentioned here https://wiki.archlinux.org/index.php/User:Grawity/Adding_a_trusted_CA_certificate

cat /etc/os-release seems to contain info on both (possibly all) distros.

[markshust]

David Alger was nice enough to share his setup for Warden -- perhaps something like this can be integrated into this setup https://github.com/davidalger/warden/blob/develop/commands/install.cmd#L38-L56

[Forien]

I can confirm that bin/setup-ssl-ca was failing on my Ubuntu 18.04.4 LTS.

I modified the script and here is working one:

#!/bin/bash
docker-compose exec -T -u root app mkcert -install
docker cp $(docker-compose ps -q app|awk '{print $1}'):/root/.local/share/mkcert/rootCA.pem .
echo "System password requested to install certificate authority on host..."

#sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem

sudo mv rootCA.pem /usr/local/share/ca-certificates/rootCA.pem
sudo update-ca-certificates

#rm rootCA.pem

hope this helps!

[markshust]

Perhaps we should move mkcert out of the container, and onto the host? I've been trying to avoid adding any dependencies on the host machine, however mkcert seems to take care of all of this for us automatically, so it may be worth the switch:

https://github.com/FiloSottile/mkcert#installation

[shochdoerfer]

I feel that's a good idea.

[markshust]

I've been a bit shutdown since March, thanks for being patient.

I modified bin/setup-ssl-ca with the following contents:

#!/bin/bash
docker-compose exec -T -u root app mkcert -install
docker cp $(docker-compose ps -q app|awk '{print $1}'):/root/.local/share/mkcert/rootCA.pem .
echo "System password requested to install certificate authority on host..."

if [ "$(uname)" == "Darwin" ]; then
  sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem
  rm rootCA.pem
else
  sudo mv rootCA.pem /usr/local/share/ca-certificates/rootCA.pem
  sudo update-ca-certificates
fi

This seems like the least-invasive solution. Let's see if it works. I hate adding host dependencies.

This new version will be in the 33.0.0 tag going out later today. Please reopen/comment on this ticket if it isn't working.

[santibm]

We have issues with the certificates on ubuntu and firefox, what seemed to work finally was:

Moving the certificate as .crt instead of pem:
sudo mv rootCA.pem /usr/local/share/ca-certificates/rootCA.crt

Then adding a policies.json file:

{
  "policies": {
    "Certificates": {
      "Install": ["rootCA.crt", "/usr/local/share/ca-certificates/rootCA.crt"]
    }
  }
}

As specified here:
https://github.com/mozilla/policy-templates/#certificates--install

Which also mentions the location of that json file:
On Linux, the file goes into firefox/distribution, where firefox is the installation directory for firefox, which varies by distribution or you can specify system-wide policy by placing the file in /etc/firefox/policies.

[santibm]

Here is how our copy of setup-ssl-ca finally works for both Firefox and Chrome in Mac and Linux (only ubuntu 20.04 tested):

echo "System password requested to install certificate authority on host..."
if [ "$(uname)" == "Darwin" ]; then
  sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem

  ### Check if Firefox is installed
  FFoxBin="/Applications/Firefox.app/Contents/MacOS/firefox-bin"
  if [ -f "$FFoxBin" ]; then
    sudo echo "{\"policies\": {\"Certificates\": {\"ImportEnterpriseRoots\": true}}}" > policies.json

    ### Check if distribution directory exists
    DistDirectory="/Applications/Firefox.app/Contents/Resources/distribution"
    if [ ! -d "$DistDirectory" ]; then
      sudo mkdir "$DistDirectory"
    fi
    ### Move the newly created policies.json to the Certificates directory
    sudo mv policies.json "$DistDirectory"/policies.json

    ### Check if Certificates directory exists
    CertDirectory="/Library/Application Support/Mozilla/Certificates"
    if [ ! -d "$CertDirectory" ]; then
      sudo mkdir "$CertDirectory"
    fi

    ### Move the newly created .pem to the Certificates directory
    sudo mv rootCA.pem "$CertDirectory"/rootCA.pem

  else
    sudo rm rootCA.pem
  fi

else

  ### Requirement: apt install libnss3-tools
  REQUIRED_PKG="libnss3-tools"
  PKG_OK=$(dpkg-query -W --showformat='${Status}\n' $REQUIRED_PKG|grep "install ok installed")
  echo Checking for $REQUIRED_PKG: $PKG_OK
  if [ "" = "$PKG_OK" ]; then
    echo "No $REQUIRED_PKG found. Setting up $REQUIRED_PKG."
    sudo apt-get --yes install $REQUIRED_PKG
  fi

  ### CA file to install (CUSTOMIZE!)
  certfile="rootCA.pem"
  certname="Root CA"

  ### For cert8 (legacy - DBM)
  for certDB in $(find ~/ -name "cert8.db")
  do
      certdir=$(dirname ${certDB});
      certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir}
  done

  ### For cert9 (SQL)
  for certDB in $(find ~/ -name "cert9.db")
  do
      certdir=$(dirname ${certDB});
      certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}
  done

  sudo mv rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
  sudo update-ca-certificates

fi

[santibm]

Actually we did a last change to remove the existing cert in linux machines, should I make a PR for this?

[markshust]

@santibm that would be great, as long as it's backwards-compat with mac, I'll gladly take it in.

[draper87]

I've been a bit shutdown since March, thanks for being patient.

I modified bin/setup-ssl-ca with the following contents:

#!/bin/bash
docker-compose exec -T -u root app mkcert -install
docker cp $(docker-compose ps -q app|awk '{print $1}'):/root/.local/share/mkcert/rootCA.pem .
echo "System password requested to install certificate authority on host..."

if [ "$(uname)" == "Darwin" ]; then
  sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem
  rm rootCA.pem
else
  sudo mv rootCA.pem /usr/local/share/ca-certificates/rootCA.pem
  sudo update-ca-certificates
fi

This seems like the least-invasive solution. Let's see if it works. I hate adding host dependencies.

This new version will be in the 33.0.0 tag going out later today. Please reopen/comment on this ticket if it isn't working.

On Ubuntu 18.04 is not working, I run bin/setup-ssl-ca (I get no errors), then bin/setup-ssl magento.test but I still get invalid certificate on Chrome and Firefox.

[draper87]

Here is how our copy of setup-ssl-ca finally works for both Firefox and Chrome in Mac and Linux (only ubuntu 20.04 tested):

echo "System password requested to install certificate authority on host..."
if [ "$(uname)" == "Darwin" ]; then
  sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem

  ### Check if Firefox is installed
  FFoxBin="/Applications/Firefox.app/Contents/MacOS/firefox-bin"
  if [ -f "$FFoxBin" ]; then
    sudo echo "{\"policies\": {\"Certificates\": {\"ImportEnterpriseRoots\": true}}}" > policies.json

    ### Check if distribution directory exists
    DistDirectory="/Applications/Firefox.app/Contents/Resources/distribution"
    if [ ! -d "$DistDirectory" ]; then
      sudo mkdir "$DistDirectory"
    fi
    ### Move the newly created policies.json to the Certificates directory
    sudo mv policies.json "$DistDirectory"/policies.json

    ### Check if Certificates directory exists
    CertDirectory="/Library/Application Support/Mozilla/Certificates"
    if [ ! -d "$CertDirectory" ]; then
      sudo mkdir "$CertDirectory"
    fi

    ### Move the newly created .pem to the Certificates directory
    sudo mv rootCA.pem "$CertDirectory"/rootCA.pem

  else
    sudo rm rootCA.pem
  fi

else

  ### Requirement: apt install libnss3-tools
  REQUIRED_PKG="libnss3-tools"
  PKG_OK=$(dpkg-query -W --showformat='${Status}\n' $REQUIRED_PKG|grep "install ok installed")
  echo Checking for $REQUIRED_PKG: $PKG_OK
  if [ "" = "$PKG_OK" ]; then
    echo "No $REQUIRED_PKG found. Setting up $REQUIRED_PKG."
    sudo apt-get --yes install $REQUIRED_PKG
  fi

  ### CA file to install (CUSTOMIZE!)
  certfile="rootCA.pem"
  certname="Root CA"

  ### For cert8 (legacy - DBM)
  for certDB in $(find ~/ -name "cert8.db")
  do
      certdir=$(dirname ${certDB});
      certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir}
  done

  ### For cert9 (SQL)
  for certDB in $(find ~/ -name "cert9.db")
  do
      certdir=$(dirname ${certDB});
      certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}
  done

  sudo mv rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
  sudo update-ca-certificates

fi

Not working on Ubuntu 18.04, when I run bin/setup-ssl-ca I get

Using the local CA at "/root/.local/share/mkcert" ✨
The local CA is already installed in the system trust store! 👍

System password requested to install certificate authority on host...
Checking for libnss3-tools: install ok installed
find: ‘/home/draper87/......’: Permission denied
find: ‘/home/draper87/.......’: Permission denied
....

If i put sudo find on line 53 & 61 I get

Using the local CA at "/root/.local/share/mkcert" ✨
The local CA is already installed in the system trust store! 👍

System password requested to install certificate authority on host...
Checking for libnss3-tools: install ok installed
certutil: could not find certificate named "Root CA": SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier.

[markshust]

I merged #500 which should resolve this issue. Please wait for version 40.0.0 to be tagged before testing. If it still doesn't work, please let me know and I will reopen this ticket.