Docker container does not report selfsigned parameter correctly.

[stitch]

Hi!

Using the docker container, it's not possible to validate if certificates are self signed. The check always results in a "no (num=20:unable to get local issuer certificate)".

Command: ['docker', 'run', '--rm', '-it', 'owasp/o-saft', '--trace-key', '--legacy=quick', '+check', '+selfsigned', 'faalkaart.nl:443']

This results in the following issue with selfsigned on any domain: {'typ': 'check', 'line': '654', 'key': 'selfsigned', 'label': 'Certificate is not self-signed', 'value': 'no (num=20:unable to get local issuer certificate)'}

The documentation gives some hints about some systems not being capable of performing this check. I would imagine the distributed docker container would be configured to be able to check self-signing.

Am i missing something?

Regards, Elger

[EnDe]

This is a bug in the docker container, the file ca-certificates.crt is missing. A new docker will com this month ...

[EnDe]

A quick workaround is as follows:

1. copy a ca-certificates.crt into the running docker container, i.e. to /O-Saft/
2. change in /o-Saft/.o-saft.pl need to contain: --ca-path=/O-Saft/
   --ca-file=/O-Saft/ca-certificates.crt

If you're not used to docker, it can be done with o-saft's tools as follows

1. o-saft-docker cp ca-certificates.crt
2. o-saft-docker call cat .o-saft.pl > .o-saft.pl
3. echo "--ca-path=/O-Saft/" >> .o-saft.pl
   echo "--ca-file=/O-Saft/ca-certificates.crt" >> .o-saft.pl
4. ensure that .o-saft.pl is in UNIX-format (only \n not \r\n)
5. o-saft-docker cp .o-saft.pl

Hope this helps.

[EnDe]

Fixed with Dockerfile