search

Homas / ioc2rpz

ioc2rpz is a place where threat intelligence meets DNS.
Apache License 2.0
105 stars 17 forks source link

Error accessing feed signed with own/corporate CA #50

Open dmgeurts opened 10 months ago

dmgeurts commented 10 months ago

How can I get ioc2rpz to trust the internally signed certificate? The root CA was added to the host cert store and the root CA is also listed at: /opt/ioc2rpz/cfg/ipa_root_ca.crt

Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]: TLS client: In state wait_cert_cr at ssl_handshake.erl:2138 generated CLIENT ALERT: Fatal - Unknown CA
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]: Error downloading feed <<"https://feed.domain.com/tech/blacklists/block.domains.fqdnlist">> reason {failed_connect,
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                   [{to_address,
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                     {"feed.domain.com",
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                      443}},
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                    {inet,
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                     [inet],
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                     {tls_alert,
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                      {unknown_ca,
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                       "TLS client: In state wait_cert_cr at ssl_handshake.erl:2138 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}
dmgeurts commented 10 months ago

It looks like the following may be needed:

Mount the host ca-certificates to the image docker-compose.yml:

services:
  ioc2rpz:
    volumes:
      - /usr/local/share/ca-certificates:/usr/local/share/ca-certificates
    command: /usr/sbin/update-ca-certificates

But so far the CA still isn't trusted.

Some inspiration taken from here: https://stackoverflow.com/questions/42292444/how-do-i-add-a-ca-root-certificate-inside-a-docker-image

dmgeurts commented 10 months ago

Problem solved by connecting to the image and manually installing ca-certificates and then running update-ca-certificates.

Would be a good addition to add these to the image so that CA certs added to the host can be included as trusted in the ioc2rpz service.