williamchong
commented
5 months ago It seems browsertrix gives a new cert every time i try, not sure if we should just trust all cert sha for now
Closed williamchong closed 5 months ago
williamchong
commented
5 months ago It seems browsertrix gives a new cert every time i try, not sure if we should just trust all cert sha for now
makew0rld
commented
5 months ago It seems browsertrix gives a new cert every time i try, not sure if we should just trust all cert sha for now
Can you expand on this? A new domainCert every time?
Maybe instead of having a manual list of trustedDomainFingerprints, a better way to verify would be to use the OS's CA store (with x509.SystemCertPool), and just check that domainCert is a valid certificate chain for the domain, no matter who the CA is. Because if Browsertrix switches from Let's Encrypt to ZeroSSL one day, that shouldn't necessarily fail in our system. Is that possible? That might fix your problem.
Feel free to respond in Slack if that's better.
williamchong
commented
5 months ago Looks good. Happy to merge if this is tested and working on your end. Or we can do docs in this PR too.
One thing I'll add regarding docs is we should have an example curl command that sets up Browsertrix with the webhook URL.
Yes I have tested with actual webhook payload, will make doc in another PR
makew0rld
commented
5 months ago Will merge once changes mentioned in Slack are integrated.
williamchong
commented
5 months ago updated, we still need to have trust list for freetsa though
Fixes https://github.com/starlinglab/integrity-v2/issues/33
TODO: docs