the process to validate the provider should work with an official certificate

Question

the process to validate the provider should work with an official certificate

cz8s opened this issue 9 years ago · comments

why

if you use a cert that was bought from an official ssl company, our platform does not work anymore

explanation

every leap client has to validate the provider in a three step process.
1: Download https://provider:443/provider.json
2: Download the ca linked in the provider.json
3: use that ca to validate the connection to soledad/smtp/etc

The only time we need to provide a fingerprint or ca to help the client to validate something is when https://provider:443 can not be validated otherwise.
And in this case, the fingerprint or ca we provided MUST only be used to validated https://provider:443. For every other connection the ca linked in the provider.json MUST be used

definition of done

try.pixelated has to work with a valid certificate

Christoph · Answer 1 · Thu Mar 19 2015 00:01:52 GMT+0800 (China Standard Time)

This problem has to be fixed in user-agent and dispatcher.
See pixelated/pixelated-user-agent#333

Tiago Ferraz · Answer 2 · Fri Apr 10 2015 03:12:00 GMT+0800 (China Standard Time)

I tried to test this story, but the box fbernitt/debian-testing-amd64 is not working. I changed the box, installed puppet and executed a vagrant provision and tried to start the dispatcher manually.
It could not verify the certificate of try, the certificate of staging is not correct.
The command executed is
/usr/bin/python /vagrant/pixelated-dispatcher.py manager -b docker --provider try.pixelated-project.org --provider-ca /vagrant/pixelated/resources/try.pixelated-project.org.ca.crt --bind 0.0.0.0 -r /var/lib/dispatcher --sslcert /vagrant/pixelated/test/util/server.crt --sslkey /vagrant/pixelated/test/util/server.key

Tiago Ferraz · Answer 3 · Fri Apr 10 2015 03:15:58 GMT+0800 (China Standard Time)

The possible cause must be that the new deploy in try and other environments creates a new cert, so this cert must be updated in the project in order to this not happen and anyone can successfully use dispatcher after following the read.me

Christoph · Answer 4 · Fri Apr 10 2015 22:53:54 GMT+0800 (China Standard Time)

the cert used in try does not change after a deploy. It is still the same. You can see it by visting
https://try.pixelated-project.org that should always work without a warning.
If your vagrant box can not validate the cert, something is not using a valid cert.
Can you paste the error?

Tiago Ferraz · Answer 5 · Sat Apr 11 2015 03:52:56 GMT+0800 (China Standard Time)

The try is now using the official certificate issued by Gandi, but yesterday was not. The Try certificate it was the same Staging has now.
Yet, I cannot sign off this story because it is not working like the read.me

Tiago Ferraz · Answer 6 · Mon Apr 13 2015 19:54:51 GMT+0800 (China Standard Time)

On Friday it downloaded correctly the fbernitt box , and after Jeff's fix I am able to test it correctly. I will do it today.