Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't use custom certificate authority to verify hosts #2659

Closed
jcharaoui opened this issue Feb 19, 2018 · 6 comments
Closed

Can't use custom certificate authority to verify hosts #2659

jcharaoui opened this issue Feb 19, 2018 · 6 comments

Comments

@jcharaoui
Copy link
Contributor

We deploy certificates signed by an in-house CA to all our XenServer instances. We added this CA certificate to the system certificate trust store (/etc/ssl/certs, via update-ca-certificates) but for some reason that was not enough for Xen Orchestra to recognize the XenServer client certificate as valid.

Well it turns out that node.js doesn't care about the system certificate trust store and instead ships with an internal, hardcoded list of certificates.

There are various ways to work around this, but I think the best way would be to simply disregard the node.js hardcoded certificates and implement the local system certificate store which is easier to manipulate and (importantly) maintain up to date.

@jcharaoui
Copy link
Contributor Author

So I researched this a little bit further, and it turns out this particular issue is fixed in current versions of node.js and LTS version 6.11.0 which is only one release after the version bundled in XOA (6.10.3).

@julien-f
Copy link
Member

julien-f commented Feb 20, 2018

If you are using XOA, you can upgrade Node with this command line (as root):

curl https://gist.githubusercontent.com/julien-f/74c41ea1f28e43014d0c8e4da5a37ff8/raw/upgrade-node.sh | sh

@jcharaoui
Copy link
Contributor Author

@julien-f Is it safe to do so? Is XO known to work with node 8? And is it possible to downgrade to the current version of node in case we hit problems?

@julien-f
Copy link
Member

julien-f commented Feb 20, 2018

I advise you to make a snapshot, just to be safe, but you should not have any issues, I've done it for tens of customers without issues.
And yes, it's possible to downgrade if necessary 😃

@jcharaoui
Copy link
Contributor Author

@julien-f OK I upgraded node using the script and the process completed without issues. Hoiwever the certificate problem persisted. That's because the default builds of node.js are still configured to use its own hardcoded certificates.

The fix is to add Environment=NODE_OPTIONS=--use-openssl-ca in the xo-server systemd unit file.

@olivierlambert
Copy link
Member

Thanks for the hint! We'll update our documentation accordingly :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants