eclipse-opendut/opendut

EDGAR Setup - Replace the usage of update-ca-certificates by another solution

Opened this issue · 1 comments

mtwardawski commented

We are using Netbird, which requires a certificate to communicate with our backend system. Currently we use the certificate we get from the EDGAR setup string and write it on disk.

The location where the Netbird certificate is stored is: /usr/local/share/ca-certificates/opendut-ca.crt.
We defined the path to that file in opendut-edgar/src/setup/constants.rs, line ~29.

pub fn default_netbird_ca_certificate_path() -> PathBuf {
    PathBuf::from("/usr/local/share/ca-certificates/opendut-ca.crt")
}

Currently in task WriteCaCertificates we are using the command update-ca-certificate to make the certificate known and usable for Netbird. This command add the certificate in the OS trust store but will not work on some Linux distributions, so EDGAR cannot be started on those distributions and tests will fail in cargo ci check. This happens around line 119 ff in write_ca_certificates.rs.

let update_ca_certificates = which::which("update-ca-certificates")
        .context(String::from("No command `update-ca-certificates` found. Ensure your system provides this command."))?;

command_runner.run(
    &mut Command::new(update_ca_certificates) //Update OS certificate store, as NetBird reads from there
).context("update-ca-certificates could not be executed successfully!")?;

Netbird is able to use an environment variable SSL_CERT_FILE pointing to a certificate authority which may be used to provide a solution to this issue.
So the idea is, to provide a possibility with which this variable can be set and made available for Netbird. To achieve this, the /etc/systemd/system/netbird.service file has to be updated.

The service file might look similar to this:

[Unit]
Description=A WireGuard-based mesh network that connects your devices into a single private network.
ConditionFileIsExecutable=/opt/opendut/edgar/netbird/netbird
 
After=network.target syslog.target 

[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/opt/opendut/edgar/netbird/netbird "service" "run" "--config" "/etc/netbird/config.json" "--log-level" "info" "--log-file" "/var/log/netbird/client.log"

StandardOutput=file:/var/log/netbird/netbird.out
StandardError=file:/var/log/netbird/netbird.err

Restart=always

RestartSec=120
EnvironmentFile=-/etc/sysconfig/netbird

[Install]
WantedBy=multi-user.target

To tell Netbird the location of the environment variable we would need to add this to under [Service]:

[Unit]
... 

[Service]
...
Environment="SSL_CERT_FILE=path/to/opendut-ca.crt"
...
mirenz1 commented

Relates to #263