Page MenuHomePhorge

default.pem in Arcanist is out of date - maybe remove it completely?
Open, Needs TriagePublic

Description

tldr

If your phorge install uses letsencrypt certs, and at any of your clients using arcanist are on centos, you will have this issue.

D25023 Implements a fix
https://github.com/willson556/phorge-devcontainer/pull/6 implements a fix in the phorge-devcontainer for those using this setup.

Issue

We noticed the issue as result of a

https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4

For TLS certificates issued by Let’s Encrypt, the root certificate (DST Root CA X3) in the default chain expires on September 30, 2021. Due to their unique approach, the expired certificate will continue to be part of the certificate chain till 2024. This affects OpenSSL 1.0.2k on RHEL/CentOS 7 servers, and will result in applications/tools failing to establish TLS/HTTPS connections with a certificate has expired message.

In essence, using Arcanist on Centos 7 or 8 no longer works and it seems to be because arcanist is grabbing its own default.pem file which is located here

Note that on Ubuntu, updating the ca-certificates package resolves the issue. However, on Centos we did the suggested update, but arcanist is still for some reason using this old pem file. We don't why that is yet, but, regardless, this file should probably be update as it is 5 years out of date.

https://we.phorge.it/source/arcanist/browse/master/resources/ssl/

The last updated date is Certificate data from Mozilla as of: Wed Jan 20 04:12:04 2016

We should update this fallback file to the latest .pem from https://curl.se/docs/caextract.html

Reproduce

Run this command - And it will fail

curl -v --cacert /path/to/arcanist/resources/ssl/default.pem https://letsencrypt.org/

Event Timeline

A friend of mine is able to reproduce this error on an updated Fedora 34 as well.

Deploying the new pem as described in the related D25023 fixed the issue.

What was the original rationale behind shipping a certificate bundle with Arcanist? It may be better to rely on the system certificate bundle instead (that also tends to have certificates from, for example, internal company issuers as well).

This is what the README says - And maybe we should remove support for the default.pem altogether? (But, possibly leave support for custom.pem)

https://we.phorge.it/source/arcanist/browse/master/resources/ssl/README;4230292997cef41ae2ec3259db009ce372b9ae79?as=remarkup

This document describes how to set Certificate Authority information.
Usually, you need to do this only if you're using a self-signed certificate.

OSX after Yosemite

If you're using a version of Mac OSX after Yosemite, you can not configure
certificates from the command line. All libphutil and arcanist options
related to CA configuration are ignored.

Instead, you need to add them to the system keychain. The easiest way to do this
is to visit the site in Safari and choose to permanently accept the certificate.

You can also use security add-trusted-cert from the command line.

All Other Systems

If "curl.cainfo" is not set (or you are using PHP older than 5.3.7, where the
option was introduced), libphutil uses the "default.pem" certificate authority
bundle when making HTTPS requests with cURL. This bundle is extracted from
Mozilla's certificates by cURL:

http://curl.haxx.se/docs/caextract.html

If you want to use a different CA bundle (for example, because you use
self-signed certificates), set "curl.cainfo" if you're using PHP 5.3.7 or newer,
or create a file (or symlink) in this directory named "custom.pem".

If "custom.pem" is present, that file will be used instead of "default.pem".

If you receive errors using your "custom.pem" file, you can test it directly
with curl by running a command like this:

curl -v --cacert path/to/your/custom.pem https://phabricator.example.com/

Replace "path/to/your/custom.pem" with the path to your "custom.pem" file,
and replace "https://phabricator.example.com" with the real URL of your
Phabricator install.

The initial lines of output from curl should give you information about the
SSL handshake and certificate verification, which may be helpful in resolving
the issue.

+1 to removing default.pem
/shrug on keeping custom.pem

Adding custom certificates to the system bundle on Linux is easy enough and usually necessary anyways, so if it takes additional work to keep custom.pem, I'd just drop it.

I also noticed that some of the technical issues (existence of curl.cainfo) would be resolved by T15047

I think updating the current pem file is a good holdover patch for now (sorry for the delay in reviewing the change). Re-working how arcanist manages certs is something we can look at addressing long-term.

We've picked up an updated version of the pem at https://secure.phabricator.com/D21739 - it's not the latest, but is it recent enough?

avivey renamed this task from default.pem in Arcanist is out of date to default.pem in Arcanist is out of date - maybe remove it completely?.Aug 31 2022, 20:21

I submitted D25049 for review on the 26th to address certs signed by the ISRG Root X2 root that is in the updated default.pem file.

@avivey the one in upstream does not contain the new ISRG Root X2 CA.