Allow customization of ssl certs?

commercialhaskell / stack

The Haskell Tool Stack

http://haskellstack.org

BSD 3-Clause "New" or "Revised" License

3.99k stars 845 forks source link

Allow customization of ssl certs? #1922

Open mgsloan opened 8 years ago

mgsloan commented 8 years ago

See https://github.com/commercialhaskell/stack/issues/907#issuecomment-197697680 . Perhaps we should allow customization of proxies / certs? Not sure how much work this would be, considering we delegate to a number of external programs which use ssl.

sjakobi commented 8 years ago

As already noted in this comment on #907 it should be possible to just set SYSTEM_CERTIFICATE_PATH to point at the custom certificates.

This is documented in the x509-system sources which we use via http-client-tls.

I currently don't think that there's any need to add any configuration options for certificates, but possibly the env var approach should be documented?!

mgsloan commented 8 years ago

but possibly the env var approach should be documented?!

Sure, that'd be good!

sjakobi commented 8 years ago

And we should test it too! ;)

sjakobi commented 8 years ago

it should be possible to just set SYSTEM_CERTIFICATE_PATH to point at the custom certificates.

I can at least get an error when I misconfigure SYSTEM_CERTIFICATE_PATH:

~/tmp $ env SYSTEM_CERTIFICATE_PATH=no-certs-here stack new certs-repro
Downloading template "new-template" to create project "certs-repro" in certs-repro/ ...
HttpExceptionRequest Request {
  host                 = "raw.githubusercontent.com"
  port                 = 443
  secure               = True
  requestHeaders       = [("If-None-Match","\"079e366666d8d579d2113e5726d13c4bbff83faf\"")]
  path                 = "/commercialhaskell/stack-templates/master/new-template.hsfiles"
  queryString          = ""
  method               = "GET"
  proxy                = Nothing
  rawBody              = False
  redirectCount        = 10
  responseTimeout      = ResponseTimeoutDefault
  requestVersion       = HTTP/1.1
}
 (InternalException (HandshakeFailed (Error_Protocol ("certificate has unknown CA",True,UnknownCa))))

sjakobi commented 8 years ago

I hadn't realized how much the SSL certificate configuration varies by OS. x509-system has separate modules for Windows, OS X and Unix OSs.

Right now I'm thinking about adding an entry like this to the FAQ:

## How can I make `stack` aware of my custom SSL certificates?

### OS X 

In principle, you can use the following command to add a certificate to your system certificate keychain:

    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <certificate>

Some users have reported issues with this approach, see [#907](https://github.com/commercialhaskell/stack/issues/907) for more information.

### Other *NIX OSs

Use the `SYSTEM_CERTIFICATE_PATH` environment variable to point at the directory
where you keep your SSL certificates.

I didn't test the OS X approach though!

This isn't really satisfying but I figure it's better than nothing…

sjakobi commented 8 years ago

I have added the above note to the FAQ (https://github.com/commercialhaskell/stack/commit/836c4a335da4ba8875716e1d6e0d982d1abc717b).

I'm leaving this open as a reminder to add integration tests.

St3S0f commented 6 years ago

Is there a possible workaround for Windows too? Setting the SYSTEM_CERTIFICATE_PATH env variable doesn't do the trick on Win.