Configuring HTTPS with CA's bundle certificate

158 views
Skip to first unread message

Jon Masters

unread,
Aug 29, 2018, 6:44:28 AM8/29/18
to meetecho-janus
Hi All,

I have a janus server configured for HTTPS with a certificate issued by GoDaddy. As these certificates are not created from the CA root certificate but from an intermediate certificate, in order for the trust to work GoDaddy provides a separate certificate bundle that connects the trust chain together.

At the moment the HTTP transport doesn't seem to allow me to add this extra certificate into the configuration.

Is this because there is another way to configure in this extra certificate or is it because libmicrohttpd doesn't support it or is it because no one has had a chance to do the work yet?

The http library has a config setting called MHD_OPTION_HTTPS_MEM_TRUST and I was wondering if it's just a case of adding this into the transport code but I wasn't sure if I was understanding the purpose of that option correctly.

If adding this into the http transport code is what needs to be done then I'm happy to have a crack at it and create a pull request.

Any insights into this would be welcome!

Cheers
Jon

Lorenzo Miniero

unread,
Aug 29, 2018, 6:59:48 AM8/29/18
to meetecho-janus
I'm not sure MHD_OPTION_HTTPS_MEM_TRUST is what you need. According to the documentation, its used to "authenticate and trust clients certificates". Not sure how these things work, but I think that when you have separate certificates, you can just put them all together in one file and the whole chain should be available that way (IIRC that's how we did it).

Lorenzo

Jon Masters

unread,
Aug 29, 2018, 7:05:25 AM8/29/18
to meetecho-janus
Aha! That sounds like a solution. Thanks, I'll give it a try.

Jon

Alessandro Amirante

unread,
Aug 29, 2018, 7:20:16 AM8/29/18
to Lorenzo Miniero, meetecho-janus
Yes, that's the way to go. It's the same way nginx handles certificate chains: merge all certs in one file, where your cert is the last one.

A.

--
You received this message because you are subscribed to the Google Groups "meetecho-janus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meetecho-janu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jon Masters

unread,
Aug 29, 2018, 7:25:20 AM8/29/18
to meetecho-janus
Worked perfectly and I've learned something new. 
Thanks for your help, it's hugely appreciated.

Cheers
Jon
Reply all
Reply to author
Forward
0 new messages