search

sqlitebrowser / dbhub.io

A "Cloud" for SQLite databases. Collaborative development for your data. 😊
https://dbhub.io
GNU Affero General Public License v3.0
372 stars 39 forks source link

Certificates at db4s.dbhub.io are expired #228

Open EwenQuim opened 10 months ago

EwenQuim commented 10 months ago
image
justinclift commented 10 months ago

Oh, that's not good. Looking into it now...

justinclift commented 10 months ago

Oh hang on. Are you running on macOS?

If so, this is unlikely to work any time soon. For some unknown reason, macOS wants to insert itself into all https calls, so refuses to accept our custom root CA certificate. :frowning: :frowning: :frowning:

It's more an Apple problem than a "certificates are expired" problem.

justinclift commented 10 months ago

Thinking about it a bit more... it might work if you add our root CA certificate to your system keychain.

Probably best if we ask @lucydodo (our resident macOS packager) to look into that first though. Don't want to give you bad advice. :smile:

lucydodo commented 10 months ago

This issue has been around since macOS Big Sur that starts validate certificates issue by self-signed CAs. :) An immediate workaround is to enroll our CA certificate in the macOS keychain. See https://github.com/sqlitebrowser/sqlitebrowser/issues/2829

lucydodo commented 10 months ago

@justinclift As an aside, I think we should consider replacing our self-signed certifiacte with a certificate from a recognized authority. 🤔

justinclift commented 10 months ago

we should consider replacing our self-signed certifiacte with a certificate from a recognized authority.

Not going to happen. There's no way we could then issue client certificates to our users for them to load into DB4S.

lucydodo commented 10 months ago

Well, so right now on macOS, users can't access DBHub without registering a CA certificate, so do we need to guide them through that in the program (for example, pointing them to a wiki page)? 😄

justinclift commented 10 months ago

We should probably do two things:

1) Test the concept first in a playground environment (VM, container, etc), just to make sure it does work as desired

2) Think through whether there will be unintended issues (security, etc) from manually adding a new root CA certificate to people's system keychain

For 2) there might be. I can't put my finger on the exact problem right at the moment, but there's a large warning alert type thing going off in my head when I think about us doing this.

Something along the lines of reducing security for people from an external person's point of view, because our custom root CA could (in theory) do something like generate certificates for any domain. Which would be trusted by the users computer because our root CA is now in their system keychain.

Us not actually generating certificates for anything other than DB4S is kind of beside the point, as the capability would be there. :frowning:

What we should probably do, is see if the suggestions in that DB4S issue for adjusting our certificates will let them work with macOS. I've not really had the mental head space to look into it though. If you're interested, then you're welcome to though. :smile:

lucydodo commented 10 months ago

I'd probably want to fix this before the next release. As it is, you've explained it well enough, but maybe my knowledge is a bit limited, Do you mind if I ask you to elaborate?