Skip to content

Symlink OpenSSL default cert file to Debian cert path

Stan Hurequested to merge
sh-symlink-default-cert-file into master

What does this MR do?

Debian populates certificates in /etc/ssl/certs/ca-certificates.crt, but the OpenSSL file expects the default to be in /usr/lib/ssl/cert.pem.

Ruby uses OpenSSL::X509::DEFAULT_CERT_FILE, which is set to /usr/lib/ssl/cert.pem by default. To make it possible for Ruby to use this bundle path, we create a symlink to this file.

Note that this in theory shouldn't have been a problem because OpenSSL::X509::DEFAULT_CERT_DIR points to /usr/lib/ssl/certs, which is a symlink to /etc/ssl/certs. But it appears that DEFAULT_CERT_DIR isn't used when Ruby calls OpenSSL::X509::Store#verify.

This prevented newly-issued LetsEncrypt certificate chains from being verified.

Related issues

Relates to gitlab-org/gitlab#342326 (closed)

Test

  1. First, download the cert:
curl -O https://acme-v02.api.letsencrypt.org/acme/cert/04e48013f5b0406b136c3248d6f0cbf7e78a
  1. Then run:
require 'openssl'

crt = File.read('04e48013f5b0406b136c3248d6f0cbf7e78a')
x509 = OpenSSL::X509::Certificate.new(crt)

store = OpenSSL::X509::Store.new
store.set_default_paths
store.add_file('04e48013f5b0406b136c3248d6f0cbf7e78a')

puts store.verify(x509)
puts store.error_string

Without the symlink:

$ ruby test.rb
false
certificate has expired

With the symlink:

$ ruby test.rb
true
ok

Test with proper validation call

Note that gitlab-org/gitlab!71697 (merged) fixes the problem so that SSL_CERT_FILE isn't necessary to be correct for CNG. But in Omnibus, it fails even with this code:

require 'openssl'

crt = File.read('04e48013f5b0406b136c3248d6f0cbf7e78a')
x509 = OpenSSL::X509::Certificate.new(crt)

store = OpenSSL::X509::Store.new
store.set_default_paths

certificate_chain = []
crt.split("\n\n").each do |c|
  certificate_chain << OpenSSL::X509::Certificate.new(c)
end

puts store.verify(x509, certificate_chain)
puts store.error_string
$ SSL_CERT_FILE=/tmp/nowhere.txt /opt/gitlab/embedded/bin/ruby ok.rb
false
unable to get local issuer certificate

Whereas on CNG, SSL_CERT_DIR appears to work fine:

root@fb9557d75713:/tmp# SSL_CERT_FILE=/tmp/nowhere.txt ruby ok.rb
true
ok

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Integration tests added to GitLab QA
  • The impact any change in container size has should be evaluated
Edited by Stan Hu

Merge request reports