Open mgsloan opened 8 years ago
As already noted in this comment on #907 it should be possible to just set SYSTEM_CERTIFICATE_PATH
to point at the custom certificates.
This is documented in the x509-system
sources which we use via http-client-tls
.
I currently don't think that there's any need to add any configuration options for certificates, but possibly the env var approach should be documented?!
but possibly the env var approach should be documented?!
Sure, that'd be good!
And we should test it too! ;)
it should be possible to just set SYSTEM_CERTIFICATE_PATH to point at the custom certificates.
I can at least get an error when I misconfigure SYSTEM_CERTIFICATE_PATH
:
~/tmp $ env SYSTEM_CERTIFICATE_PATH=no-certs-here stack new certs-repro
Downloading template "new-template" to create project "certs-repro" in certs-repro/ ...
HttpExceptionRequest Request {
host = "raw.githubusercontent.com"
port = 443
secure = True
requestHeaders = [("If-None-Match","\"079e366666d8d579d2113e5726d13c4bbff83faf\"")]
path = "/commercialhaskell/stack-templates/master/new-template.hsfiles"
queryString = ""
method = "GET"
proxy = Nothing
rawBody = False
redirectCount = 10
responseTimeout = ResponseTimeoutDefault
requestVersion = HTTP/1.1
}
(InternalException (HandshakeFailed (Error_Protocol ("certificate has unknown CA",True,UnknownCa))))
I hadn't realized how much the SSL certificate configuration varies by OS. x509-system
has separate modules for Windows, OS X and Unix OSs.
Right now I'm thinking about adding an entry like this to the FAQ:
## How can I make `stack` aware of my custom SSL certificates?
### OS X
In principle, you can use the following command to add a certificate to your system certificate keychain:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <certificate>
Some users have reported issues with this approach, see [#907](https://github.com/commercialhaskell/stack/issues/907) for more information.
### Other *NIX OSs
Use the `SYSTEM_CERTIFICATE_PATH` environment variable to point at the directory
where you keep your SSL certificates.
I didn't test the OS X approach though!
This isn't really satisfying but I figure it's better than nothing…
I have added the above note to the FAQ (https://github.com/commercialhaskell/stack/commit/836c4a335da4ba8875716e1d6e0d982d1abc717b).
I'm leaving this open as a reminder to add integration tests.
Is there a possible workaround for Windows too? Setting the SYSTEM_CERTIFICATE_PATH env variable doesn't do the trick on Win.
See https://github.com/commercialhaskell/stack/issues/907#issuecomment-197697680 . Perhaps we should allow customization of proxies / certs? Not sure how much work this would be, considering we delegate to a number of external programs which use ssl.