Self-Signed Certificate

Question

Self-Signed Certificate

TheOneValen opened this issue 3 years ago · 7 comments

Hi!

Currently I cannot use dsc due to my instance using a certificate signed by a private PKI. I Added the root to my system wide trust store (curl and stuff all works) but dsc won't.

Which trust store does the client use?

I also propose an option to provide the key via cli (and/or config.toml) for folks, that use self-signed certs without PKI.

Have a nice day!

Answer 1 · 2022-01-26T20:18:34.000Z

Oh, good question! What package do you use - the ones from the release page? If so they are built using rustls, This may have their own strategy regarding trust stores. I couldn't find anything useful from a quick search. Might be that you need to build it yourself and try things out. For example, you could build it on your machine linking it against openssl - this should then use your systems trust store.

Another try might be building with the feature rustls-tls-native-roots, like using this line in Cargo.toml:

[features]
…
rustls = ["reqwest/rustls-tls", "rustls-tls-native-roots"]

When using rustls, this crate seems to integrate the systems trust-store with rustls, which is mentioned in the docs of the reqwest library. If that would work, we can add it to subsequent builds.

The last point, I'm not sure I understand: is it good enough if the tool is using the system trust store or do you want an option to specify your root certificate directly?

Answer 2 · 2022-01-26T21:25:58.000Z

An option to specify the certificate would be the most flexible option. I would guess that people using their own certificate mostly don't have a whole PKI setup. I'll look into what the library you use, uses as store, thanks for the hint.

Answer 3 · 2022-02-17T20:22:12.000Z

Hi @TheOneValen - I added an option to specify a certificate file that is then added to the trusted certificates when connecting to the docspell server. It should be available shortly in the release section (nightly), if you can find some time to try it with your setup, would be great to know whether it works for you.

Answer 4 · 2022-03-20T19:34:34.000Z

Sorry for my delayed reply. Is this already in an official release or should I test it from some nightly?

Answer 5 · 2022-03-20T19:59:09.000Z

No worries! It is already in the current release, there is a --extra-certificate global option.

Answer 6 · 2022-03-22T08:05:57.000Z

Works like a charm! I just cannot get it to work using the .toml, have to use the cli option. Is this intended?

Answer 7 · 2022-03-22T17:25:22.000Z

Oh right - that is simply not done! But it should be…. I think the proxy settings and certificate are good to have in the config. Needs a new issue.