New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't use custom certificate authority to verify hosts #2659
Comments
So I researched this a little bit further, and it turns out this particular issue is fixed in current versions of node.js and LTS version 6.11.0 which is only one release after the version bundled in XOA (6.10.3). |
If you are using XOA, you can upgrade Node with this command line (as root):
|
@julien-f Is it safe to do so? Is XO known to work with node 8? And is it possible to downgrade to the current version of node in case we hit problems? |
I advise you to make a snapshot, just to be safe, but you should not have any issues, I've done it for tens of customers without issues. |
@julien-f OK I upgraded node using the script and the process completed without issues. Hoiwever the certificate problem persisted. That's because the default builds of node.js are still configured to use its own hardcoded certificates. The fix is to add |
Thanks for the hint! We'll update our documentation accordingly :) |
We deploy certificates signed by an in-house CA to all our XenServer instances. We added this CA certificate to the system certificate trust store (
/etc/ssl/certs
, viaupdate-ca-certificates
) but for some reason that was not enough for Xen Orchestra to recognize the XenServer client certificate as valid.Well it turns out that node.js doesn't care about the system certificate trust store and instead ships with an internal, hardcoded list of certificates.
There are various ways to work around this, but I think the best way would be to simply disregard the node.js hardcoded certificates and implement the local system certificate store which is easier to manipulate and (importantly) maintain up to date.
The text was updated successfully, but these errors were encountered: