the process to validate the provider should work with an official certificate
cz8s opened this issue · comments
why
if you use a cert that was bought from an official ssl company, our platform does not work anymore
explanation
every leap client has to validate the provider in a three step process.
1: Download https://provider:443/provider.json
2: Download the ca linked in the provider.json
3: use that ca to validate the connection to soledad/smtp/etc
The only time we need to provide a fingerprint or ca to help the client to validate something is when https://provider:443 can not be validated otherwise.
And in this case, the fingerprint or ca we provided MUST only be used to validated https://provider:443. For every other connection the ca linked in the provider.json MUST be used
definition of done
try.pixelated has to work with a valid certificate
This problem has to be fixed in user-agent and dispatcher.
See pixelated/pixelated-user-agent#333
I tried to test this story, but the box fbernitt/debian-testing-amd64
is not working. I changed the box, installed puppet and executed a vagrant provision
and tried to start the dispatcher manually.
It could not verify the certificate of try, the certificate of staging is not correct.
The command executed is
/usr/bin/python /vagrant/pixelated-dispatcher.py manager -b docker --provider try.pixelated-project.org --provider-ca /vagrant/pixelated/resources/try.pixelated-project.org.ca.crt --bind 0.0.0.0 -r /var/lib/dispatcher --sslcert /vagrant/pixelated/test/util/server.crt --sslkey /vagrant/pixelated/test/util/server.key
The possible cause must be that the new deploy in try and other environments creates a new cert, so this cert must be updated in the project in order to this not happen and anyone can successfully use dispatcher after following the read.me
the cert used in try does not change after a deploy. It is still the same. You can see it by visting
https://try.pixelated-project.org that should always work without a warning.
If your vagrant box can not validate the cert, something is not using a valid cert.
Can you paste the error?
The try is now using the official certificate issued by Gandi, but yesterday was not. The Try certificate it was the same Staging has now.
Yet, I cannot sign off this story because it is not working like the read.me
On Friday it downloaded correctly the fbernitt box , and after Jeff's fix I am able to test it correctly. I will do it today.