Open anpin opened 6 months ago
Just as a quick guess: Do you have the complete chain in .ssl/ca-chain.pem
, i.e. including the leaf cert and the root CA? I remember OpenLDAP insisting on having absolutely everything in there, see e.g. https://github.com/majewsky/nixos-modules/blob/54303357d576d1f40e76723fc82b44ac5a49ed6b/ldap-server.nix#L117-L129.
I do have the full chain under .ssl/ca-chain.pem (root + intermediate) as per the openldap docs and I can validate the cert via openssl
I understand what's going on. We are not telling portunus-server about the custom CA, so it will only use the system CA bundle. More specifically, in
nil
must be replaced by a tls.Config containing the additional CA. The tls.Config can be constructed like over here.Since my year-end vacation is over, I may not have the time to work on this right away. I put the above description here in case you are able to and interested in contributing the fix.
Before opening the issue I tried adding my root CA to the system bundle by overriding nixos cacert
package as such
( final: prev: {
cacert = prev.cacert.override {
extraCertificateFiles = [ ./.ssl/ca-chain.pem ];
};
})
Which didn't affect this issue with portunus.
Thank you for pointing out possible solutions. I'm currently experimenting with other solutions to my problem and in case I would decide to use portunus I will look more into it.
Since overriding pkgs.cacert
did not work, did you try setting config.security.pki.certificateFiles
? That looks like the standard way to extend the system trust store.
Hello, thank you for your effort in this project! I've been playing with portunus and tried to use SSL certificate signed with my own root CA, but it always fails even if I add my CA system-wide. Is there a way to use self-signed certificates?
Here is how I'm configuring it on nixos: