Re: [Nix-dev] Installing CA certificates

[Adam Russell]

Thanks Guillaume; your reply is very informative. I'll investigate as soon
as I have a chance and get back to you.

On Mon, Feb 22, 2016 at 11:42 AM Guillaume Maudoux (Layus) <
layus...@gmail.com> wrote:

> Just my two cents, but could you test again your openssl command with
> `-partial_chain` ?
> Like in `openssl s_client -connect {HOSTNAME}:443 -partial_chain` ?
>
> My reasoning is that, most probably, the certificate downloaded by
> chrome is an intermediate certificate, signed by some authority for your
> website, and not self-signed.
> Adding that certificate to the trust store does not make openssl (nor
> anyone else) trust your website, unless you explicitly accept partial
> chains.
> This is because a intermediate certificate cannot be used as a root
> (=self-signed) certificate.
>
> To solve the issue, you need to add the root certificate to
> /etc/ssl/certs/ca-certificates.crt.,
> the one that is self-signed in the chain dumped by `openssl s_client
> -connect {HOSTNAME}:443 -showcerts`.
> Alternatively, when saving the certificate with chrome, you have an
> option to dump the whole certificate chain instead of only the last
> certificate in the chain.
>
> You must then include the root certificate (or the full chain, it does
> not matter) to security.pki.certificates.
> To avoid errors, typos and such, you can use
> `security.pki.certificateFiles = [ /path/to/your/root-cert.pem ]`
>
> Then, `openssl s_client -connect {HOSTNAME}:443` should work !
>
> Partial chains would be perfect for you but it is not a widely
> implemented feature and there is often no option to enable it.
> And that's the whole story...
>
> G.
>
> Le 22/02/16 16:13, Adam Russell a écrit :
> > Here's the full output of those two commands (substituting domain name
> > and IP address):
> >
> > $ curl --cacert /etc/ssl/certs/ca-certificates.crt -v
> > https://exch1.example.com/owa/
> > *   Trying 10.10.1.234...
> > * Connected to exch1.example.com 
> > (10.10.1.234) port 443 (#0)
> > * Cipher selection:
> > ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> > * successfully set certificate verify locations:
> > *   CAfile: /etc/ssl/certs/ca-certificates.crt
> >   CApath: none
> > * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> > * TLSv1.0 (IN), TLS handshake, Server hello (2):
> > * TLSv1.0 (IN), TLS handshake, Certificate (11):
> > * TLSv1.0 (OUT), TLS alert, Server hello (2):
> > * SSL certificate problem: unable to get local issuer certificate
> > * Closing connection 0
> > * TLSv1.0 (OUT), TLS alert, Client hello (1):
> > curl: (60) SSL certificate problem: unable to get local issuer
> certificate
> > More details here: http://curl.haxx.se/docs/sslcerts.html
> >
> > curl performs SSL certificate verification by default, using a "bundle"
> >  of Certificate Authority (CA) public keys (CA certs). If the default
> >  bundle file isn't adequate, you can specify an alternate file
> >  using the --cacert option.
> > If this HTTPS server uses a certificate signed by a CA represented in
> >  the bundle, the certificate verification probably failed due to a
> >  problem with the certificate (it might be expired, or the name might
> >  not match the domain name in the URL).
> > If you'd like to turn off curl's verification of the certificate, use
> >  the -k (or --insecure) option.
> > $ openssl x509 -in /etc/ssl/certs/ca-certificates.crt -text
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number:
> > 04:00:00:00:00:01:15:4b:5a:c3:94
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root
> CA
> > Validity
> > Not Before: Sep  1 12:00:00 1998 GMT
> > Not After : Jan 28 12:00:00 2028 GMT
> > Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign
> Root CA
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > Public-Key: (2048 bit)
> > Modulus:
> > 00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:
> > 83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0:
> > 63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89:
> > 8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c:
> > 70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50:
> > 15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0:
> > 6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2:
> > 89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7:
> > 54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c:
> > 92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2:
> > 75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9:
> > c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b:
> > bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91:
> > 

Re: [Nix-dev] Installing CA certificates

[Adam Russell]

Here's the full output of those two commands (substituting domain name and
IP address):

$ curl --cacert /etc/ssl/certs/ca-certificates.crt -v
https://exch1.example.com/owa/
*   Trying 10.10.1.234...
* Connected to exch1.example.com (10.10.1.234) port 443 (#0)
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
* TLSv1.0 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
$ openssl x509 -in /etc/ssl/certs/ca-certificates.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:00:00:00:00:01:15:4b:5a:c3:94
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Validity
Not Before: Sep  1 12:00:00 1998 GMT
Not After : Jan 28 12:00:00 2028 GMT
Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:
83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0:
63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89:
8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c:
70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50:
15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0:
6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2:
89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7:
54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c:
92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2:
75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9:
c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b:
bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91:
ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51:
63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa:
48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a:
07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93:
90:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
Signature Algorithm: sha1WithRSAEncryption
 d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5:
 7c:fc:6c:9c:2c:2b:bd:09:9e:53:bf:6b:5e:aa:11:48:b6:e5:
 08:a3:b3:ca:3d:61:4d:d3:46:09:b3:3e:c3:a0:e3:63:55:1b:
 f2:ba:ef:ad:39:e1:43:b9:38:a3:e6:2f:8a:26:3b:ef:a0:50:
 56:f9:c6:0a:fd:38:cd:c4:0b:70:51:94:97:98:04:df:c3:5f:
 94:d5:15:c9:14:41:9c:c4:5d:75:64:15:0d:ff:55:30:ec:86:
 8f:ff:0d:ef:2c:b9:63:46:f6:aa:fc:df:bc:69:fd:2e:12:48:
 64:9a:e0:95:f0:a6:ef:29:8f:01:b1:15:b5:0c:1d:a5:fe:69:
 2c:69:24:78:1e:b3:a7:1c:71:62:ee:ca:c8:97:ac:17:5d:8a:
 c2:f8:47:86:6e:2a:c4:56:31:95:d0:67:89:85:2b:f9:6c:a6:
 5d:46:9d:0c:aa:82:e4:99:51:dd:70:b7:db:56:3d:61:e4:6a:
 e1:5c:d6:f6:fe:3d:de:41:cc:07:ae:63:52:bf:53:53:f4:2b:
 e9:c7:fd:b6:f7:82:5f:85:d2:41:18:db:81:b3:04:1c:c5:1f:
 a4:80:6f:15:20:c9:de:0c:88:0a:1d:d6:66:55:e2:fc:48:c9:
 29:26:69:e0
-BEGIN CERTIFICATE-
MIIDdTCCAl2gAwIBAgILBAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT

Re: [Nix-dev] Installing CA certificates

[zimbatm]

I am starting to think that the installed certificate is not the right-one.
What if you run `curl --cacert /path/to/cert.pem -v https://yourservi
ce` ? It would be useful to get the full output to make
sure we didn't miss anything. And also the output of `openssl x509 -in
/path/to/cert.pem -text`.

On Fri, 19 Feb 2016 at 22:28 Adam Russell  wrote:

> Using that page as reference, I ran this command:
>
> certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n DEV.LOCAL -i
> /etc/ssl/certs/ca-certificates.crt
>
> That page did lead me to some other pages that might be helpful:
>
> https://wiki.archlinux.org/index.php/Chromium/Tips_and_tricks#Adding_CAcert_certificates_for_self-signed_certificates
> http://blog.xelnor.net/firefox-systemcerts/
>
> https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md
>
> And in particular, http://superuser.com/a/719047/73086
>
> However, things still don't work, and running the openssl command as
> recommended in the last link doesn't give me the expected "verify return
> code" of 0 (ok). Instead, it's 21 (unable to verify the first certificate).
>
> This is all way over my head. I have some more reading to do. Once I do
> figure it out, I think I will suggest having the NixOS module take care of
> whatever steps are necessary to fix this, assuming it can be done in a
> reproducible manner.
>
> On Fri, Feb 19, 2016 at 11:42 AM zimbatm  wrote:
>
>> Found this which might be useful to you:
>> http://mindref.blogspot.co.uk/2011/02/nssdb-add-ca-certificate.html
>>
>>
>> On Fri, 19 Feb 2016 at 17:36 zimbatm  wrote:
>>
>>> curl should work just fine then. Can you paste the output of `curl -v
>>> https://yoursite.com` ?
>>>
>>> Chromium uses NSS which has another mechanism for it's PKI which I don't
>>> know. Can you confirm that your cert is also in
>>> /etc/pki/tls/certs/ca-bundle.crt ?
>>> Also do you have anything under ~/.pki ?
>>>
>>>
>>> On Fri, 19 Feb 2016 at 16:47 Adam Russell  wrote:
>>>
 The output is:

 $ echo $SSL_CERT_FILE
 /etc/ssl/certs/ca-certificates.crt
 $ echo $CURL_CA_BUNDLE

 $

 And yes, the certificates are in that file. Is there another step that
 needs to happen for curl and Chromium to be able to use them?

 On Fri, Feb 19, 2016 at 9:26 AM zimbatm  wrote:

> What is the output of `echo $SSL_CERT_FILE` and `echo $CURL_CA_BUNDLE`
> ?
> If one of those is set, look in the pointed file if you can find your
> certificate.
>
> On Fri, 19 Feb 2016 at 15:12 Adam Russell  wrote:
>
>> Thomas, I've not used the openssl command-line tool before, and
>> looking at its documentation I'm not sure what command I would run in 
>> order
>> to test it, or what output to look for. I can tell you that curl doesn't
>> work against the domains in question, though (at least without the 
>> insecure
>> flag).
>>
>> Regardless, with or without the "comment" with the equal signs
>> separator, adding things to security.pki.certificates has no effect for 
>> me.
>> Is there a bug, or am I doing something wrong?
>>
>> On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger 
>> wrote:
>>
>>> Hi Adam,
>>>
>>> Can you make the TLS call work with a command line tool like
>>> openssl? I'm not 100% sure but I think that Chrome might use a different
>>> set of trusted certs (based on the Mozilla ones) [1].
>>>
>>> ~
>>>
>>> [1]
>>> https://www.chromium.org/Home/chromium-security/root-ca-policy
>>>
>>> On 18 February 2016 at 13:53, Adam Russell 
>>> wrote:
>>>
 Hello Nix-Dev,

 I'm trying to understand how to install CA certificates in NixOS.

 If I visit my work's webmail in Chromium, I get an indicator that
 my connection is not private. Clicking the padlock icon in the address 
 bar,
 then the "Certificate information" link in the Connection tab, going 
 to the
 "Details" tab, and clicking "Export" allows me to download a 
 certificate.

 The text in this export is what I am supposed to put in the array
 in `security.pki.certificates` option of 
 `/etc/nixos/configuration.nix`,
 correct? Am I missing something?

 The documentation I am using is at:
 https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45

 Does the text above the equal signs have any significance
 ("NixOS.org" in the example), or is it just a comment?

 Thanks,
 -Adam

 ___
 nix-dev mailing list
 

Re: [Nix-dev] Installing CA certificates

[Adam Russell]

Using that page as reference, I ran this command:

certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n DEV.LOCAL -i
/etc/ssl/certs/ca-certificates.crt

That page did lead me to some other pages that might be helpful:
https://wiki.archlinux.org/index.php/Chromium/Tips_and_tricks#Adding_CAcert_certificates_for_self-signed_certificates
http://blog.xelnor.net/firefox-systemcerts/
https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md

And in particular, http://superuser.com/a/719047/73086

However, things still don't work, and running the openssl command as
recommended in the last link doesn't give me the expected "verify return
code" of 0 (ok). Instead, it's 21 (unable to verify the first certificate).

This is all way over my head. I have some more reading to do. Once I do
figure it out, I think I will suggest having the NixOS module take care of
whatever steps are necessary to fix this, assuming it can be done in a
reproducible manner.

On Fri, Feb 19, 2016 at 11:42 AM zimbatm  wrote:

> Found this which might be useful to you:
> http://mindref.blogspot.co.uk/2011/02/nssdb-add-ca-certificate.html
>
>
> On Fri, 19 Feb 2016 at 17:36 zimbatm  wrote:
>
>> curl should work just fine then. Can you paste the output of `curl -v
>> https://yoursite.com` ?
>>
>> Chromium uses NSS which has another mechanism for it's PKI which I don't
>> know. Can you confirm that your cert is also in
>> /etc/pki/tls/certs/ca-bundle.crt ?
>> Also do you have anything under ~/.pki ?
>>
>>
>> On Fri, 19 Feb 2016 at 16:47 Adam Russell  wrote:
>>
>>> The output is:
>>>
>>> $ echo $SSL_CERT_FILE
>>> /etc/ssl/certs/ca-certificates.crt
>>> $ echo $CURL_CA_BUNDLE
>>>
>>> $
>>>
>>> And yes, the certificates are in that file. Is there another step that
>>> needs to happen for curl and Chromium to be able to use them?
>>>
>>> On Fri, Feb 19, 2016 at 9:26 AM zimbatm  wrote:
>>>
 What is the output of `echo $SSL_CERT_FILE` and `echo $CURL_CA_BUNDLE` ?
 If one of those is set, look in the pointed file if you can find your
 certificate.

 On Fri, 19 Feb 2016 at 15:12 Adam Russell  wrote:

> Thomas, I've not used the openssl command-line tool before, and
> looking at its documentation I'm not sure what command I would run in 
> order
> to test it, or what output to look for. I can tell you that curl doesn't
> work against the domains in question, though (at least without the 
> insecure
> flag).
>
> Regardless, with or without the "comment" with the equal signs
> separator, adding things to security.pki.certificates has no effect for 
> me.
> Is there a bug, or am I doing something wrong?
>
> On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger 
> wrote:
>
>> Hi Adam,
>>
>> Can you make the TLS call work with a command line tool like openssl?
>> I'm not 100% sure but I think that Chrome might use a different set of
>> trusted certs (based on the Mozilla ones) [1].
>>
>> ~
>>
>> [1]
>> https://www.chromium.org/Home/chromium-security/root-ca-policy
>>
>> On 18 February 2016 at 13:53, Adam Russell  wrote:
>>
>>> Hello Nix-Dev,
>>>
>>> I'm trying to understand how to install CA certificates in NixOS.
>>>
>>> If I visit my work's webmail in Chromium, I get an indicator that my
>>> connection is not private. Clicking the padlock icon in the address bar,
>>> then the "Certificate information" link in the Connection tab, going to 
>>> the
>>> "Details" tab, and clicking "Export" allows me to download a 
>>> certificate.
>>>
>>> The text in this export is what I am supposed to put in the array in
>>> `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
>>> correct? Am I missing something?
>>>
>>> The documentation I am using is at:
>>> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>>>
>>> Does the text above the equal signs have any significance
>>> ("NixOS.org" in the example), or is it just a comment?
>>>
>>> Thanks,
>>> -Adam
>>>
>>> ___
>>> nix-dev mailing list
>>> nix-dev@lists.science.uu.nl
>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>
>>> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>

___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Installing CA certificates

[zimbatm]

Found this which might be useful to you:
http://mindref.blogspot.co.uk/2011/02/nssdb-add-ca-certificate.html


On Fri, 19 Feb 2016 at 17:36 zimbatm  wrote:

> curl should work just fine then. Can you paste the output of `curl -v
> https://yoursite.com` ?
>
> Chromium uses NSS which has another mechanism for it's PKI which I don't
> know. Can you confirm that your cert is also in
> /etc/pki/tls/certs/ca-bundle.crt ?
> Also do you have anything under ~/.pki ?
>
>
> On Fri, 19 Feb 2016 at 16:47 Adam Russell  wrote:
>
>> The output is:
>>
>> $ echo $SSL_CERT_FILE
>> /etc/ssl/certs/ca-certificates.crt
>> $ echo $CURL_CA_BUNDLE
>>
>> $
>>
>> And yes, the certificates are in that file. Is there another step that
>> needs to happen for curl and Chromium to be able to use them?
>>
>> On Fri, Feb 19, 2016 at 9:26 AM zimbatm  wrote:
>>
>>> What is the output of `echo $SSL_CERT_FILE` and `echo $CURL_CA_BUNDLE` ?
>>> If one of those is set, look in the pointed file if you can find your
>>> certificate.
>>>
>>> On Fri, 19 Feb 2016 at 15:12 Adam Russell  wrote:
>>>
 Thomas, I've not used the openssl command-line tool before, and looking
 at its documentation I'm not sure what command I would run in order to test
 it, or what output to look for. I can tell you that curl doesn't work
 against the domains in question, though (at least without the insecure
 flag).

 Regardless, with or without the "comment" with the equal signs
 separator, adding things to security.pki.certificates has no effect for me.
 Is there a bug, or am I doing something wrong?

 On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger 
 wrote:

> Hi Adam,
>
> Can you make the TLS call work with a command line tool like openssl?
> I'm not 100% sure but I think that Chrome might use a different set of
> trusted certs (based on the Mozilla ones) [1].
>
> ~
>
> [1]
> https://www.chromium.org/Home/chromium-security/root-ca-policy
>
> On 18 February 2016 at 13:53, Adam Russell  wrote:
>
>> Hello Nix-Dev,
>>
>> I'm trying to understand how to install CA certificates in NixOS.
>>
>> If I visit my work's webmail in Chromium, I get an indicator that my
>> connection is not private. Clicking the padlock icon in the address bar,
>> then the "Certificate information" link in the Connection tab, going to 
>> the
>> "Details" tab, and clicking "Export" allows me to download a certificate.
>>
>> The text in this export is what I am supposed to put in the array in
>> `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
>> correct? Am I missing something?
>>
>> The documentation I am using is at:
>> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>>
>> Does the text above the equal signs have any significance
>> ("NixOS.org" in the example), or is it just a comment?
>>
>> Thanks,
>> -Adam
>>
>> ___
>> nix-dev mailing list
>> nix-dev@lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>> ___
 nix-dev mailing list
 nix-dev@lists.science.uu.nl
 http://lists.science.uu.nl/mailman/listinfo/nix-dev

>>>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Installing CA certificates

[zimbatm]

curl should work just fine then. Can you paste the output of `curl -v
https://yoursite.com` ?

Chromium uses NSS which has another mechanism for it's PKI which I don't
know. Can you confirm that your cert is also in
/etc/pki/tls/certs/ca-bundle.crt ?
Also do you have anything under ~/.pki ?


On Fri, 19 Feb 2016 at 16:47 Adam Russell  wrote:

> The output is:
>
> $ echo $SSL_CERT_FILE
> /etc/ssl/certs/ca-certificates.crt
> $ echo $CURL_CA_BUNDLE
>
> $
>
> And yes, the certificates are in that file. Is there another step that
> needs to happen for curl and Chromium to be able to use them?
>
> On Fri, Feb 19, 2016 at 9:26 AM zimbatm  wrote:
>
>> What is the output of `echo $SSL_CERT_FILE` and `echo $CURL_CA_BUNDLE` ?
>> If one of those is set, look in the pointed file if you can find your
>> certificate.
>>
>> On Fri, 19 Feb 2016 at 15:12 Adam Russell  wrote:
>>
>>> Thomas, I've not used the openssl command-line tool before, and looking
>>> at its documentation I'm not sure what command I would run in order to test
>>> it, or what output to look for. I can tell you that curl doesn't work
>>> against the domains in question, though (at least without the insecure
>>> flag).
>>>
>>> Regardless, with or without the "comment" with the equal signs
>>> separator, adding things to security.pki.certificates has no effect for me.
>>> Is there a bug, or am I doing something wrong?
>>>
>>> On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger 
>>> wrote:
>>>
 Hi Adam,

 Can you make the TLS call work with a command line tool like openssl?
 I'm not 100% sure but I think that Chrome might use a different set of
 trusted certs (based on the Mozilla ones) [1].

 ~

 [1]
 https://www.chromium.org/Home/chromium-security/root-ca-policy

 On 18 February 2016 at 13:53, Adam Russell  wrote:

> Hello Nix-Dev,
>
> I'm trying to understand how to install CA certificates in NixOS.
>
> If I visit my work's webmail in Chromium, I get an indicator that my
> connection is not private. Clicking the padlock icon in the address bar,
> then the "Certificate information" link in the Connection tab, going to 
> the
> "Details" tab, and clicking "Export" allows me to download a certificate.
>
> The text in this export is what I am supposed to put in the array in
> `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
> correct? Am I missing something?
>
> The documentation I am using is at:
> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>
> Does the text above the equal signs have any significance ("NixOS.org"
> in the example), or is it just a comment?
>
> Thanks,
> -Adam
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
> ___
>>> nix-dev mailing list
>>> nix-dev@lists.science.uu.nl
>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>
>>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Installing CA certificates

[Adam Russell]

The output is:

$ echo $SSL_CERT_FILE
/etc/ssl/certs/ca-certificates.crt
$ echo $CURL_CA_BUNDLE

$

And yes, the certificates are in that file. Is there another step that
needs to happen for curl and Chromium to be able to use them?

On Fri, Feb 19, 2016 at 9:26 AM zimbatm  wrote:

> What is the output of `echo $SSL_CERT_FILE` and `echo $CURL_CA_BUNDLE` ?
> If one of those is set, look in the pointed file if you can find your
> certificate.
>
> On Fri, 19 Feb 2016 at 15:12 Adam Russell  wrote:
>
>> Thomas, I've not used the openssl command-line tool before, and looking
>> at its documentation I'm not sure what command I would run in order to test
>> it, or what output to look for. I can tell you that curl doesn't work
>> against the domains in question, though (at least without the insecure
>> flag).
>>
>> Regardless, with or without the "comment" with the equal signs separator,
>> adding things to security.pki.certificates has no effect for me. Is there a
>> bug, or am I doing something wrong?
>>
>> On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger  wrote:
>>
>>> Hi Adam,
>>>
>>> Can you make the TLS call work with a command line tool like openssl?
>>> I'm not 100% sure but I think that Chrome might use a different set of
>>> trusted certs (based on the Mozilla ones) [1].
>>>
>>> ~
>>>
>>> [1]
>>> https://www.chromium.org/Home/chromium-security/root-ca-policy
>>>
>>> On 18 February 2016 at 13:53, Adam Russell  wrote:
>>>
 Hello Nix-Dev,

 I'm trying to understand how to install CA certificates in NixOS.

 If I visit my work's webmail in Chromium, I get an indicator that my
 connection is not private. Clicking the padlock icon in the address bar,
 then the "Certificate information" link in the Connection tab, going to the
 "Details" tab, and clicking "Export" allows me to download a certificate.

 The text in this export is what I am supposed to put in the array in
 `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
 correct? Am I missing something?

 The documentation I am using is at:
 https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45

 Does the text above the equal signs have any significance ("NixOS.org"
 in the example), or is it just a comment?

 Thanks,
 -Adam

 ___
 nix-dev mailing list
 nix-dev@lists.science.uu.nl
 http://lists.science.uu.nl/mailman/listinfo/nix-dev

 ___
>> nix-dev mailing list
>> nix-dev@lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Installing CA certificates

[zimbatm]

What is the output of `echo $SSL_CERT_FILE` and `echo $CURL_CA_BUNDLE` ?
If one of those is set, look in the pointed file if you can find your
certificate.

On Fri, 19 Feb 2016 at 15:12 Adam Russell  wrote:

> Thomas, I've not used the openssl command-line tool before, and looking at
> its documentation I'm not sure what command I would run in order to test
> it, or what output to look for. I can tell you that curl doesn't work
> against the domains in question, though (at least without the insecure
> flag).
>
> Regardless, with or without the "comment" with the equal signs separator,
> adding things to security.pki.certificates has no effect for me. Is there a
> bug, or am I doing something wrong?
>
> On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger  wrote:
>
>> Hi Adam,
>>
>> Can you make the TLS call work with a command line tool like openssl? I'm
>> not 100% sure but I think that Chrome might use a different set of trusted
>> certs (based on the Mozilla ones) [1].
>>
>> ~
>>
>> [1]
>> https://www.chromium.org/Home/chromium-security/root-ca-policy
>>
>> On 18 February 2016 at 13:53, Adam Russell  wrote:
>>
>>> Hello Nix-Dev,
>>>
>>> I'm trying to understand how to install CA certificates in NixOS.
>>>
>>> If I visit my work's webmail in Chromium, I get an indicator that my
>>> connection is not private. Clicking the padlock icon in the address bar,
>>> then the "Certificate information" link in the Connection tab, going to the
>>> "Details" tab, and clicking "Export" allows me to download a certificate.
>>>
>>> The text in this export is what I am supposed to put in the array in
>>> `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
>>> correct? Am I missing something?
>>>
>>> The documentation I am using is at:
>>> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>>>
>>> Does the text above the equal signs have any significance ("NixOS.org"
>>> in the example), or is it just a comment?
>>>
>>> Thanks,
>>> -Adam
>>>
>>> ___
>>> nix-dev mailing list
>>> nix-dev@lists.science.uu.nl
>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>
>>> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Installing CA certificates

[Adam Russell]

Thomas, I've not used the openssl command-line tool before, and looking at
its documentation I'm not sure what command I would run in order to test
it, or what output to look for. I can tell you that curl doesn't work
against the domains in question, though (at least without the insecure
flag).

Regardless, with or without the "comment" with the equal signs separator,
adding things to security.pki.certificates has no effect for me. Is there a
bug, or am I doing something wrong?

On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger  wrote:

> Hi Adam,
>
> Can you make the TLS call work with a command line tool like openssl? I'm
> not 100% sure but I think that Chrome might use a different set of trusted
> certs (based on the Mozilla ones) [1].
>
> ~
>
> [1]
> https://www.chromium.org/Home/chromium-security/root-ca-policy
>
> On 18 February 2016 at 13:53, Adam Russell  wrote:
>
>> Hello Nix-Dev,
>>
>> I'm trying to understand how to install CA certificates in NixOS.
>>
>> If I visit my work's webmail in Chromium, I get an indicator that my
>> connection is not private. Clicking the padlock icon in the address bar,
>> then the "Certificate information" link in the Connection tab, going to the
>> "Details" tab, and clicking "Export" allows me to download a certificate.
>>
>> The text in this export is what I am supposed to put in the array in
>> `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
>> correct? Am I missing something?
>>
>> The documentation I am using is at:
>> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>>
>> Does the text above the equal signs have any significance ("NixOS.org" in
>> the example), or is it just a comment?
>>
>> Thanks,
>> -Adam
>>
>> ___
>> nix-dev mailing list
>> nix-dev@lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Installing CA certificates

[Thomas Hunger]

Hi Adam,

Can you make the TLS call work with a command line tool like openssl? I'm
not 100% sure but I think that Chrome might use a different set of trusted
certs (based on the Mozilla ones) [1].

~

[1]
https://www.chromium.org/Home/chromium-security/root-ca-policy

On 18 February 2016 at 13:53, Adam Russell  wrote:

> Hello Nix-Dev,
>
> I'm trying to understand how to install CA certificates in NixOS.
>
> If I visit my work's webmail in Chromium, I get an indicator that my
> connection is not private. Clicking the padlock icon in the address bar,
> then the "Certificate information" link in the Connection tab, going to the
> "Details" tab, and clicking "Export" allows me to download a certificate.
>
> The text in this export is what I am supposed to put in the array in
> `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
> correct? Am I missing something?
>
> The documentation I am using is at:
> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>
> Does the text above the equal signs have any significance ("NixOS.org" in
> the example), or is it just a comment?
>
> Thanks,
> -Adam
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Installing CA certificates

[Profpatsch]

On 16-02-18 01:53pm, Adam Russell wrote:
> Hello Nix-Dev,
> 
> I'm trying to understand how to install CA certificates in NixOS.

Different question, related topic:

I tried adding CA-Cert by default a while ago and had the impression it worked
for a while and then suddenly stopped working (at least in Chromium).

What is the suggested way to add that to the list of accepted CA-Auths?


-- 
Proudly written in Mutt with Vim on NixOS.
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
May take up to five days to read your message. If it’s urgent, call me.
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Installing CA certificates

[zimbatm]

Yes use `security.pki.certificates` or `security.pki.certificateFiles`. I
don't know why there is a comment there, you can just ignore that bit.


If you use `security.pki.certificateFiles` don't forget to add back
"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" in your array.

On Thu, 18 Feb 2016 at 13:53 Adam Russell  wrote:

> Hello Nix-Dev,
>
> I'm trying to understand how to install CA certificates in NixOS.
>
> If I visit my work's webmail in Chromium, I get an indicator that my
> connection is not private. Clicking the padlock icon in the address bar,
> then the "Certificate information" link in the Connection tab, going to the
> "Details" tab, and clicking "Export" allows me to download a certificate.
>
> The text in this export is what I am supposed to put in the array in
> `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
> correct? Am I missing something?
>
> The documentation I am using is at:
> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>
> Does the text above the equal signs have any significance ("NixOS.org" in
> the example), or is it just a comment?
>
> Thanks,
> -Adam
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev