Ugly output about self-signed certificates

brianreumere / gandi-automatic-dns

Dynamic DNS shell script for Gandi

Other

100 stars 22 forks source link

Ugly output about self-signed certificates #6

Closed w00kie closed 9 years ago

w00kie commented 9 years ago

When running gad I get multiple ugly warning messages coming up on my mac. OpenSSL seems not to like Gandi's SSL certificate:

> openssl s_client -quiet -connect rpc.gandi.net:443
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0

Is that something everyone has and I should learn to live with it or is there something I need to do?

brianreumere commented 9 years ago

I've added an option (-c) to specify where your system stores CA certs so that the openssl s_client command verifies Gandi's cert. It actually creates more output, but I added some line breaks to make it more readable. See a7f6f1fbcb48ac61a1cf3f13201c93627e92a920.

brianreumere commented 9 years ago

I've also noticed that version 0.9.something (of OpenSSL) on a Debian box outputs a lot of crap from the openssl command, presumably because the -quiet flag doesn't exist in that version. I'm using 1.something on another box and the -quiet flag works nicely. Somewhat unrelated but I should get this working with LibreSSL on OpenBSD 5.6 soon...

w00kie commented 9 years ago

On Yosemite we don't have a CApath so it's not of much use. What I can do is export all trusted root certificates to one single .pem file and point to that with -CAfile, so it would be nice if gad could check if the -c argument is a file or a directory and use the appropriate openssl argument.

Of course, it only makes sense if -quiet would actually work. Yosemite has OpenSSL 0.9.8za. The man page for s_client says -quiet should make it shut up but no... I also checked on my Ubuntu box with OpenSSL 1.0.1f and it's the same thing.

brianreumere commented 9 years ago

Try the latest commit. -c should work with a filename now as well.

brianreumere commented 9 years ago

gad should be a lot quieter now. I removed the -c option because every version of OpenSSL I've tested with (also LibreSSL) have no way to exit if the certificate verification fails so it's next to useless. The ugly output was a result of a difference in how Bash and ksh handle stderr of a command substitution (see below) so I just redirected stderr of the openssl s_client command to get rid of the verification messages but retain the method response from domain.zone.version.set() when activating a new zonefile.

On OpenBSD 5.6:

$ echo $KSH_VERSION
@(#)PD KSH v5.2.14 99/07/13.2
$ foo=`ls asdf` 2> ./test
$ cat test
ls: asdf: No such file or directory

On CentOS 7:

$ echo $BASH_VERSION
4.2.45(1)-release
$ foo=`ls asdf` 2> ./test
ls: cannot access asdf: No such file or directory
$ cat test