cloudfoundry cli trusted ssl certificate

[sd...@pivotal.io]

I am curious where the the certificate store the cf cli is using? 

E.g. cf api https://api.xxx.xx.xip.io. 

I installed the certificate to my maverick login/system keychain and made it always trust (safari seems works fine with the certificate)

However, the command line through terminal still pop up the certificate is not trusted. 

Similar question about other system, E.g. windows, ubuntu.... How to import a self signed certificate and make cf cli work.

Thanks

-Shaozhen

[James Bayer]

since CLI is written in go it probably does whatever golang does by default. greg can ask the team.

--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/eb12f4e4-fd43-4608-8a4f-6523d441dec9%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

--

Thank you,

James Bayer

[David Lee]

CF CLI (v.6.3.x) is still using golang 1.2.

In 1.2, on Linux and Windows, golang properly uses the OS configured system certificates. To configure this in Windows, see http://support.microsoft.com/kb/931125. There should be similar instructions for various Linuxes.

On Mac it appears to have used the keychain for older MacOSes (10.7 and before), but a deprecation of a MacOS api seems to have caused problems with newer version of Mac OS. This appears to be fixed in golang 1.3. Perhaps there is a workaround, but I didn't see anything off a quick search.

If you want to see the details, compare: https://code.google.com/p/go/source/browse/src/pkg/crypto/x509/root_darwin.go?name=go1.3 vs https://code.google.com/p/go/source/browse/src/pkg/crypto/x509/root_darwin.go?name=go1.2.2 

-Dave

On Sat, Aug 9, 2014 at 7:34 AM, dsz...@gmail.com <sd...@pivotal.io> wrote:

--

[Shaozhen Ding]

Thanks David.

            I built the cf CLI from source repo with 1.3 go. Seems has the same result on OSX 10.9. 

-Shaozhen

[David Lee]

Can you try to run the commands in the golang 1.3 x509 root_darwin file to see if you can retrieve your certificate using the same method?

[Shaozhen Ding]

No it was not there.

Since it was reading from: /System/Library/Keychains/SystemRootCertificates.keychain

But the certification is in login key chain per user: ~/Library/Keychains/login.keychain

You received this message because you are subscribed to a topic in the Google Groups "Cloud Foundry Developers" group.

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CAJanA0BAynOsKvr0XJon8pC1zg6U43z3iRJ8JRooqKFB9eDqqQ%40mail.gmail.com.

--

Shaozhen Ding

Senior Consultant - Pivotal Services @ EMC

7654135039

[iamflying]

I think, I have the same issue with cf cli using ssl in my cf-183.

ubuntu@ubuntu14:~/bosh-workspace/deployments/cf$ cf api https://api.mycloud1.com
Setting api endpoint to https://api.mycloud1.com...
FAILED
Invalid SSL Cert for api.mycloud1.com

However, I can access https://api.mycloud.com, https://uaa.mycloud1.com, and https://login.mycloud1.com through firefox by accepting the certificate.

Any suggestions?

[Mike Youngstrom]

2 issues I've run into with the cli and certificats:

1.  If you're creating a custom build you need to create that build on a mac for certificates to work.  Cross Compiled builds on a linux box for MacOS certs won't work.

2.  If your cert uses new SHA512 I add to add this import to the http_client.go for the SHA512 certs to work:

_ "crypto/sha512"

I've been meaning to submit a PR or issue to the CLI for this one.

Mike

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/68ef8d0b-9428-4b6d-8068-58e5f14cb34d%40cloudfoundry.org.

[Greg Oehmen]

Mike, Guancai:

I'll bring this up with the CLI team.  Meanwhile, if a PR happens to come in, we'll take a good look at it.

Best

Greg

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CAEoPEDrx_ELbya_WKfkuFkviQaAopgC49YOCDS%3D%2B1OFE3tbQqg%40mail.gmail.com.

[Mike Youngstrom]

Here is the blog post on the issue that led us to this patch for our newer certs: http://bridge.grumpy-troll.org/2014/05/golang-tls-comodo/

Mike

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CABbSAGTru%3DQtTJ3ssNa6TVSgL878_KZ-oPLw01CdRSrFyjZqTA%40mail.gmail.com.

[iamflying]

Hi Mike,

I imported  _ "crypto/sha512"  as you mentioned above and then built all source code of cli. But it still can not solve the cli cert issue. 

Anything special you did? Thanks.

Hi Greg,
Any update from you? Need us to submit a bug? Thanks.

[Mike Youngstrom]

Do you know if your cert chain has a SHA384 signed cert in it?  Or were you just trying the "crypto/sha512" import cause you were out of ideas?

Try downloading the cert chain using openssl and make sure that all certs in the chain are being included.  You can use a command like this:

openssl s_client -connect api.run.pivotal.io:443

And make sure that the Certificate chain at the top lists your full cert chain and that at least one of those listed is trusted in in your local system.  If none of the certs listed are in your local system your server may not be including the full chain.

Mike

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/daa28a5b-d92c-4864-8060-63263a5f8dac%40cloudfoundry.org.

[iamflying]

Hi Mike,

I ran the command you mentioned.  Below is the output. Ｈowever, I still have no idea why "cf api https://api.mycloud1.com" failed with error message "Invalid SSL Cert for api.mycloud1.com".

ubuntu@ubuntu14:~/bosh-workspace/deployments/cf$ openssl s_client -connect api.mycloud1.com:443
CONNECTED(00000003)
depth=0 O = Bosh, CN = *.mycloud1.com
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Bosh, CN = *.mycloud1.com
verify return:1
---
Certificate chain
 0 s:/O=Bosh/CN=*.mycloud1.com
   i:/O=Bosh/CN=*.mycloud1.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgIJAMT6qbbMgCWbMA0GCSqGSIb3DQEBCwUAMCgxDTALBgNV
BAoMBEJvc2gxFzAVBgNVBAMMDioubXljbG91ZDEuY29tMB4XDTE0MTAyMDAxMDIw
MFoXDTIwMDQxMTAxMDIwMFowKDENMAsGA1UECgwEQm9zaDEXMBUGA1UEAwwOKi5t
eWNsb3VkMS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwfELH
TwJD5/sRjGygbzwYToKcBvUE+QWXzcKYnN4UDhJQWR8+koLAMZKrpBpyTAJQE3mo
V1aMwxrqAtW9kXNVgBTV9lwOU7OlL3Cmlg3dF09S5fHHg8owgDiRaUs9EA3AkSvr
6+vlYoaSNi4bE3r4JoWHq5xpgrhy0AmLx3Y822h+Sf6FaVvZ2MVazkd+F06d3fAa
KX3BymnCBPQ64OrbVJk7M1n68kQ8q6JaTXw8v2hO5RzwTZndWpHTjvFhMdXKxk+G
IE/qXLAGQWymy3fcWsdQ6ftWFEa0auLBuQ3zifZz6OXvIJZf4EzZ+IrSpXni82El
glUXZTQIC5p1gGZtAgMBAAGjUDBOMB0GA1UdDgQWBBQhLD27bIIRFNKsmSktwTUN
4bzMjTAfBgNVHSMEGDAWgBQhLD27bIIRFNKsmSktwTUN4bzMjTAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAndD1SrxDCouHr0fp2ZlDuZIJeBQ/4+Y+K
Olv7AxHFHnF8r0+iy4d783zxvEvkk/LQags7cCm6scTmHArgD3ZwC5nqVV76ZsLM
mBUy79k/Nc3LXhcVPIGmpCFJx6K3hEaal7LEduS4Bk+RG++HXdYUcL5EK5+LRQ8u
Prum6Mxq97KjBjlNwa00B6eYrjF6Egokw5R9AlFWSpOkqEzzhDq9i1FLjNzo5PJ+
cElyPsSKm9jxJY4chHfR/+HD+XronTRGkYZ5QcmEMF/9RZrm50Yrdh97hxwTuWsy
EFBAMsUCXtDxha69qIiXWUMsN/AG/4E1K1bbRampjO5nQvxG4QMO
-----END CERTIFICATE-----
subject=/O=Bosh/CN=*.mycloud1.com
issuer=/O=Bosh/CN=*.mycloud1.com
---
No client certificate CA names sent
---
SSL handshake has read 1466 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 0036F103D5E54DE8806CD6E6D7830FED90ACFDA6E4B54E0133114A2C7F9FBBFC
    Session-ID-ctx:
    Master-Key: 6F6570C05B86422442708D90C362FC3EA874C6613703B87D93AAB3B06952A01BA376505119B1004E37119F5603A4468D
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 04 4e c4 0b 0f b1 f9 19-0a 98 cd 52 24 83 3f b4   .N.........R$.?.
    0010 - 5d 2b d8 9c 2d 0b b6 09-76 2e bf 67 ae 11 36 cc   ]+..-...v..g..6.
    0020 - 20 ba 40 c7 52 24 a5 e4-fe d3 1e 34 6c 9b 7a ba    .@.R$.....4l.z.
    0030 - fb c5 68 95 e7 fc 43 ee-3f d0 35 c7 d2 fa 21 6c   ..h...C.?.5...!l
    0040 - a9 87 0f a3 26 1f c3 51-23 2e cb 24 41 6a 91 f7   ....&..Q#..$Aj..
    0050 - f7 92 d7 32 55 a5 cc 6c-38 7a f6 38 c5 3a f6 5a   ...2U..l8z.8.:.Z
    0060 - cf db 0e 0a 1b c5 30 78-ab 54 7e af 54 ab 0d ec   ......0x.T~.T...
    0070 - 81 93 74 7e ae 6a 2d 24-48 0e 05 86 aa c9 e3 c1   ..t~.j-$H.......
    0080 - 09 02 b7 74 eb 96 20 95-eb 78 1a 4e f6 ae 41 bc   ...t.. ..x.N..A.
    0090 - 69 b0 50 f9 30 60 b6 33-82 15 0b ea 7d 61 6b      i.P.0`.3....}ak
    00a0 - <SPACES/NULS>

    Start Time: 1414031988
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

[Mike Youngstrom]

So, looks like you have a self signed cert.  For some reason I was working under the assumption that you had a valid publicly signed cert. :)

Have you tried "cf api https://api.mycloud1.com --skip-ssl-validation"

Mike

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/f65df50d-1f87-4bbb-a9e6-947f44dd6d45%40cloudfoundry.org.

[Guangcai Wang]

that works with "--skip-ssl-validation".

I am curious why it can not work without that option.

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CAEoPEDrEepLt%3Do20VfTazvW_0NLiHgyikgHicNFzZTDFKo-2yg%40mail.gmail.com.

[Mike Youngstrom]

It's because your cert is not a valid cert signed by a public certificate authority.  You must buy a cert like this one: https://ssl.comodo.com/wildcard-ssl-certificates.php in order for browsers and the cli to not alert you.  --skip-ssl-validation is the equivalent of  continuing after a browser has popped up a certificate warning/error.

You can put your self signed cert in your computers trusted cert keystore and that would eliminate the browser warnings and the cli stuff but would need to be done on each computer connecting to your cert.

Mike

To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CAE15xNnu7NAW0g%2BBRLGS7Pshn31R4euDKt%2BOuaNUZtA%3D4iQ8nA%40mail.gmail.com.