[feature] Customize CA roots used for outgoing federation requests

[Gaelan]

Is your feature request related to a problem ?

I work on minifedi, a tool for local testing of Fediverse software. In order to make federation work without real servers, we need to use a self-signed CA and configure each instance to trust that CA. GoToSocial doesn't provide any way (that I can find) to customize this. Go itself supports finding trusted roots from an environment variable on Linux; but on macOS, it always reads from the system CA store.

Describe the solution you'd like.

Provide a configuration flag to specify a root CA that is trusted for any outbound HTTPS requests GoToSocial makes.

Describe alternatives you've considered.

• Provide a flag to disable certificate verification altogether. This is marginally less secure, but everything's happening on one machine, so it's probably fine; if this is easier to implement, that totally works too.
• Just have minifedi add the CA to the system store. This works, and is my workaround for now, but a design goal of minifedi is to minimize changes to the system configuration whenever possible; directly passing a CA to GoToSocial would be way more elegant.

Additional context.

No response

[daenney]

Does it work if you change the protocol in the configuration to http? It's a setting that's only to be used for development, but I think that means we don't use HTTPS at all for federation etc. Idk if the other instances will like that though.

[tsmethurst]

I think we can just support loading a CA cert into the http client's cert pool... I think. In what format are these things normally provided? The path to load the cert from on disk or so?

[Gaelan]

Does it work if you change the protocol in the configuration to http?

My read of the docs was that this affects the protocol GTS listens on, not the one it makes outgoing federation requests with - but maybe it’s actually both?

In any case, I suspect that’s going to cause problems elsewhere unless it’s extremely clever about rewriting actor/activity URLs between http and https.

I think we can just support loading a CA cert into the http client's cert pool... I think. In what format are these things normally provided? The path to load the cert from on disk or so?

Typically it’s just a path to a .pem file, yeah. Often there’s also support for a directory full of pem files (possibly with some hash-based naming scheme?) but that’s way overkill for minifedi’s one CA. The de facto standard here seems to be OpenSSL’s SSL_CERT_DIR and SSL_CERT_FILE environment variables.

[tsmethurst]

this affects the protocol GTS listens on

That's right!

[tsmethurst]

In the end it was a faff to implement setting SSL_CERT_DIR and SSL_CERT_FILE specifically for Mac, since it required a lot of duplication of the existing code that already works for Linux. So instead I opened the above PR to just disable tls cert verification entirely for testing only ^^