Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ca-certificates #42

Open
nfour14 opened this issue Oct 31, 2020 · 7 comments
Open

ca-certificates #42

nfour14 opened this issue Oct 31, 2020 · 7 comments
Milestone
v2.x.0

Comments

@nfour14
Copy link

nfour14 commented Oct 31, 2020

Hi! Just started using this image/container.

Is there a mechanism to update the ca-certificates.crt file? Seems like its updating it in /etc/ssl but not the copy in /unbound.

I know this is a bit old now and you might not be maintaining it anymore, but I figured I would ask.
@qdm12
Copy link
Owner

qdm12 commented Nov 1, 2020

Hi there!

I'm still maintaining it although I haven't got the time so far to do a big rewrite of it so far.

Anyway, I don't think (on my phone) the program updates anything besides the block lists, the named root and the root key from https://github.com/qdm12/files

Why would it need to update the certificates file?

Thanks for your suggestion!

@nfour14
Copy link
Author

nfour14 commented Nov 1, 2020

Excellent!

In terms of the certificate files, it looks like unbound has a "tls-cert-bundle" specified, which means it is verifying the certificates of the forwarders AFAIK.

That cert bundle is ca-certificates.crt, which you are pulling in during build time it looks like:
apk --update --progress -q add ca-certificates unbound libcap && \

So I would imagine when the container is built it gets the newest cert bundle.

"tls-cert-bundle" points to /unbound/ca-certificates.crt

This kind of sums it up: https://www.ctrl.blog/entry/unbound-tls-forwarding.html

The bundle has root certs that might expire, get updated, etc....so if you run "update-ca-certificates" it updates the bundle.

https://www.shocknetwork.com/2020/06/15/use-update-ca-trust-or-update-ca-certificates/

I might be 100% wrong, or maybe its not a huge deal....just figured I would ask :)

@nfour14
Copy link
Author

nfour14 commented Nov 2, 2020

I wanted to add - I think when you "apk update" it takes down the newest certificate bundle to /etc/ssl/certs. I tried linking the unbound config file to /etc/ssl/certs/ca-certificate.crt and when the health check happens, unbound cannot restart due to file permissions. I might try to fix that this weekend and see if I can do something simple.

@qdm12
Copy link
Owner

qdm12 commented Nov 2, 2020

Don't worry, I'll do it in Go (the glue language to supervise Unbound). Either with Alpine's apk or with another way preferably (to avoid depending on Alpine too much). I should be able to do it in the coming week.

@nfour14
Copy link
Author

nfour14 commented Nov 2, 2020

Thanks, that's appreciated!

@qdm12
Copy link
Owner

qdm12 commented Jan 2, 2021

Sorry for the long delay! I had a look into it this morning, and it looks rather complicated to update in a OS agnostic way, I'm not sure where to fetch it from except using Alpine's builtin apk 😕 I'll have another look soon.

@qdm12
Copy link
Owner

qdm12 commented Apr 11, 2021

Asked on Reddit here.

Also found curl.se/docs/caextract.html which seems to be an extract of Mozilla CA certificates.

It might have to be transformed to be in the same form as it is on Alpine with

docker run -it --rm alpine:3.13
apk add ca-certificates
ls /etc/ssl/certs

I'll investigate more in the coming days, thanks for your patience.

@qdm12 qdm12 added this to the v2.x.0 milestone Sep 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.x.0
Development

No branches or pull requests
2 participants
@qdm12 @nfour14