Minor Situation
The ca-bundle option is given a path:
# a file ca_bundle = /path/to/custom-certificate.crt # or a folder ca_bundle = /path/to/custom-certificates
In some circunstances (cf SUPNXP-34797), that SSL certificate must be concatenated to the cacert.pem file. Else it will never work.
Problem
When the custom certificate is passed to requests, all Certificate Authorities (CA) from cacert.pem will be ignored.
Solution
To ease custom SSL certificate handling, we will always do the concatenation when ca-bundle is set.
—
Q/A
How to check if the file is a valid file?
We already have a function, get_certificate_details(), that could be used to validate the file.
It is using a SSL function so it should be strong.
What if the file is not a certificate?
If is not not a valid certificate (PEM, ...), it will be ignored.
What if ca-bundle is referencing a folder?
If the path is a folder, all valid certificates inside it will be taken into account.
Where to store the final certificate file?
In the Nuxeo Drive configuration folder:
$HOME/.nuxeo-drive/ndrive_<MD5>.pem
What is the content of the final certificate?
It will contain the content of cacert.pem and all custom certificates data.
How to handle certifi upgrades?
See the next question.
How to handle ca-bundle updates?
The final certificate file name will be used to keep track of the current data in use.
It will be computed like:
MD5(DATA(cacert.pem) + DATA(custom certificate) ...)
So that when certifi upgrades cacert.pem or when the certificate(s) passed to ca-bundle are updated, it will be easy check the validity of the current final certificate and regenerate if if necessary.
- causes
-
NXDRIVE-2719 Fix handling of the ca-bundle parameter
-
- Resolved
-
- Is referenced in
