elixir-mint / castore Goto Github PK
View Code? Open in Web Editor NEWUp-to-date certificate store for Elixir. ๐
Up-to-date certificate store for Elixir. ๐
Hi,
I am seeing from the commit log, that the certificate file priv/cacerts.pem
is getting updated from time to time. And along with the change to the file, new a version is also released.
I am wondering about how often, shall we update castore
package that is installed in mix application, so that the running application should never have a certificate problem.
Thanks,
Dev.
This issue pops up when sending an HTTPS request via Finch.
It seems as though CAStoe is not compiled into the binary built via escript.build.
** (ArgumentError) unknown application: :castore
(elixir 1.12.0) lib/application.ex:880: Application.app_dir/1
(elixir 1.12.0) lib/application.ex:907: Application.app_dir/2
(mint 1.3.0) lib/mint/core/transport/ssl.ex:572: Mint.Core.Transport.SSL.add_cacerts/1
(mint 1.3.0) lib/mint/core/transport/ssl.ex:442: Mint.Core.Transport.SSL.add_verify_opts/2
(mint 1.3.0) lib/mint/core/transport/ssl.ex:432: Mint.Core.Transport.SSL.ssl_opts/2
(mint 1.3.0) lib/mint/core/transport/ssl.ex:328: Mint.Core.Transport.SSL.connect/4
(mint 1.3.0) lib/mint/http1.ex:114: Mint.HTTP1.connect/4
(finch 0.8.1) lib/finch/http1/conn.ex:45: Finch.Conn.connect/1
(finch 0.8.1) lib/finch/http1/pool.ex:45: anonymous fn/8 in Finch.HTTP1.Pool.request/5
(nimble_pool 0.2.4) lib/nimble_pool.ex:266: NimblePool.checkout!/4
(finch 0.8.1) lib/finch/http1/pool.ex:39: Finch.HTTP1.Pool.request/5
(finch 0.8.1) lib/finch.ex:261: Finch.request/3
(property_finances_import 0.3.0) lib/property_finances_import/soap_client.ex:106: SOAP.get_soap_response/3
(elixir 1.12.0) lib/task/supervised.ex:90: Task.Supervised.invoke_mfa/2
(elixir 1.12.0) lib/task/supervised.ex:35: Task.Supervised.reply/5
(stdlib 3.15) proc_lib.erl:226: :proc_lib.init_p_do_apply/3
At 14:01:15 UTC on September 30th, the "DST Root CA X3" certificate will expire. I'm sure the certificate will then be removed upstream and CI will then notify you to publish an update. However, I'm worried that quite a few thing may have broken by that time.
I wrote up the details in this post a couple of days ago, but TL;DR:
partial_chain
handler (used by many clients, including Mint and Hackney, to support cross-signed certificates)As a result, the moment "DST Root CA X3" expires clients such as Mint will fail to connect to servers with a Let's Encrypt certificate that have been configured to serve up the longer (default) chain. I believe the only way to resolve this, besides configuring the server to omit the cross-signed CA certificate, is to remove the "DST Root CA X3" certificate from the trust store.
We may have to consider releasing a version of castore
that omits the "DST Root CA X3" certificate some time before September 30th, to give people a chance to upgrade their code and deploy it to production, to stop applications from breaking that day. I thought I'd raise the issue well ahead of time so we can explore alternatives. What do you think...?
I just installed the package from hex, and the mix tasks is missing
** (Mix) The task "certdata" could not be found
Error while loading project :castore at /home/samuel/dpi_ws/uriel_counter/deps/castore
** (File.Error) could not read file "VERSION": no such file or directory
mix.lock
"castore": {:hex, :castore, "0.1.21", "f618df4d83ad844979e2748cb76937d970ea2c1aee3ca96d4c8301884b9939a1", [:mix], [], "hexpm", "1e4c72e5c476e50deee88ec1e6949f804c9a410d813dc17d3ce78b9b7c55b289"},
mix.exs
defmodule CAStore.MixProject do
use Mix.Project
@repo_url "https://github.com/elixir-mint/castore"
def project do
[
app: :castore,
version: version(),
elixir: "~> 1.0",
start_permanent: Mix.env() == :prod,
deps: deps(),
xref: [exclude: [:public_key]],
# Hex
package: package(),
description: "Up-to-date CA certificate store.",
# Docs
name: "CAStore",
docs: [
source_ref: "v#{version()}",
source_url: @repo_url
]
]
end
def application do
[
extra_applications: [:logger]
]
end
defp deps do
[
{:ex_doc, "~> 0.22", only: :dev}
]
end
defp package do
[
files: ["lib/castore.ex", "priv", "mix.exs", "README.md"],
licenses: ["Apache-2.0"],
links: %{"GitHub" => @repo_url}
]
end
defp version do
"VERSION"
|> File.read!()
|> String.trim()
end
end
Hey folks!
As noted by @cgrothaus in #67 (comment), the Outdated
CI pipeline mistakenly bumps the library version and creates a new release whenever the curl command fails:
https://github.com/elixir-mint/castore/actions/runs/8761722399/job/24048599140
SHA256 of old file: 0
Downloading certdata.txt ...
Get certdata with curl!
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to hg.mozilla.org:443
Failed downloading via HTTPS with curl
Falling back to HTTP
URLs other than HTTPS are disabled by default, to enable use -k
** (File.Error) could not remove file "ca-bundle.crt": no such file or directory
(elixir 1.14.3) lib/file.ex:1182: File.rm!/1
(castore 1.0.6) lib/mix/tasks/certdata.ex:[90](https://github.com/elixir-mint/castore/actions/runs/8761722399/job/24048599140#step:4:91): Mix.Tasks.Certdata.fetch_ca_bundle/0
(castore 1.0.6) lib/mix/tasks/certdata.ex:55: Mix.Tasks.Certdata.run/1
(mix 1.14.3) lib/mix/task.ex:421: anonymous fn/3 in Mix.Task.run_task/4
(mix 1.14.3) lib/mix/cli.ex:84: Mix.CLI.run_task/2
[outdated [91](https://github.com/elixir-mint/castore/actions/runs/8761722399/job/24048599140#step:4:92)2f587] Update certificates
1 file changed, 1 insertion(+), 1 deletion(-)
remote:
remote: Create a pull request for 'outdated' on GitHub by visiting:
remote: https://github.com/elixir-mint/castore/pull/new/outdated
remote:
To https://github.com/elixir-mint/castore
* [new branch] outdated -> outdated
branch 'outdated' set up to track 'origin/outdated'.
This happens because the exit code of mix certdata --check-outdated
is the same when there are outdated certificates and when some failure occurs with fetching the certificates.
castore v0.1.16 has been released on hex.pm, but there is not git tag here on github.
It seems the code published to hex does not contain the mix task.
I believe :certifi.cacertfile()
is same feature with CAStore.file_path()
as both provide local file path for up-to-date mozilla certs by default.
Could someone explain the point of having own castore
library, not using :certifi
?
From elixir-mint/mint#274
Is there any specific reason this library returns cached cacerts upon request, instead of returning the cafile path?
If we add a function to castore (e.g. CAStore.cacerts/0
), then we don't need to implement cache feature on other library individually (such as elixir-mint/mint#275 )
castore 0.1.7 from hex.pm doesn't have certdata task and the hex package doesn't have lib/mix/tasks/certdata.ex
.
Just wondering how often the CAs are updated? And how do you know when to update? I want to use CAStore to get the latest Mozilla CA certificates and I'm not sure if I can rely on a new version of CAStore being released every time Mozilla's list is updated or if I should instead rely on mix certdata
to always be up-to-date.
** (File.Error) could not read file "VERSION": no such file or directory
(elixir 1.14.4) lib/file.ex:358: File.read!/1
/Users/toranb/code/helloworld/deps/castore/mix.exs:53: CAStore.MixProject.version/0
/Users/toranb/code/helloworld/deps/castore/mix.exs:9: CAStore.MixProject.project/0
(mix 1.14.4) lib/mix/project.ex:838: Mix.Project.get_project_config/1
I was installing the latest dependencies for a project this morning and found the latest castore is now missing a version file.
Thanks again for supporting open source!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.