dcos/dcos-cli

Can't set custom CA bundle for SSL verification with privately signed certificate

Closed this issue · 3 comments

jcmcken commented

Please answer the following questions before submitting your issue. Thanks!

What version of DC/OS + DC/OS CLI are you using (dcos --version)?

DC/OS: 1.9
CLI: 0.4.16 (Latest Github release as of writing)

What operating system and version are you using?

CentOS Linux release 7.3.1611 (Core)

What did you do?

  • Configure the DC/OS frontend with a privately signed certificate (private CA).
  • Using the CA which signed the certificate, issue a curl to validate SSL verification is working:
$ curl --cacert /path/to/ca.crt https://dcos.example.com
..bunch of output...
  • Configure the DC/OS CLI:
$ dcos config set core.ssl_verify /path/to/ca.crt
$ dcos config set core.dcos_url https://dcos.example.com
  • Attempt to login with the CLI:
$ dcos auth login
An SSL error occurred. To configure your SSL settings, please run: `dcos config set core.ssl_verify <value>`
<value>: Whether to verify SSL certs for HTTPS or path to certs. Valid values are True, False, or a path to a CA_BUNDLE.

By running with a higher log level, I can see that OpenSSL is throwing the following error:

ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

What did you expect to see?

$ dcos auth login
dcos.example.com's user: example
example@dcos.example.com's password:
Login successful!

What did you see instead?

$ dcos auth login
An SSL error occurred. To configure your SSL settings, please run: `dcos config set core.ssl_verify <value>`
<value>: Whether to verify SSL certs for HTTPS or path to certs. Valid values are True, False, or a path to a CA_BUNDLE.
tamarrow-zz commented

Thanks for reporting the issue.

curl --cacert works slightly differently than core.ssl_verify. curl --cacert appends the peer cert to the CA bundle on your machine (list of trusted root CA certs). core.ssl_verify=path expects the path to the bundle. I assume this is your problem. You can verify using httpie, which is a curl wrapper. Their --verify flag works like core.ssl_verify.

If this is not the case, can you please provide steps on how you configured your CA?

jcmcken commented

I used --cacert just to avoid ambiguity about which CA was being used. The CA chain is actually just appended to the system chain. So a plain curl https://dcos.example.com works, for example.

Is there some other way I should be building the CA bundle?

jcmcken commented

Hmm, I think I figured it out. I removed a bunch of additional CAs from the bundle that were added by our corporate distributor, and just retained the chain visible from the browser, and then set core.ssl_verify to that bundle and that worked.

Thanks for the help.