Certificate manager fallback #42763
Open
Certificate manager fallback #42763
+144
−2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tcitworld
requested review from
icewind1991,
a team,
ArtificialOwl and
blizzz
and removed request for
a team
tcitworld
force-pushed
the
certificate-manager-fallback
branch
from
6c746cf to
16c418e
Compare
|
Once upon a time, the whole logic was in files_external, iirc, as it started to with the support of custom CAs against file serves. |
|
The path (and data) will be different when switching on or off files_external, right. That's a little unpredictable and confusing. When going to a different location, go fully there, and do a migration of the old data, if existing. |
|
I can do that, yeah. I was wondering if there was a special reason of using |
tcitworld
force-pushed
the
certificate-manager-fallback
branch
from
16c418e to
ddb5f48
Compare
…rnal to data CertificateManager doesn't work propertly if the files_external app is disabled, so let's store directly in /data/certificate_manager the bundled certificates. This always has to be done on local disk as curl currently requires a path to the cert bundle. When we require PHP 8.1 we will be able to simply store the certificate bundle in database/memory/cache and pass it through the CURLOPT_SSLCERT_BLOB option. Signed-off-by: Thomas Citharel <[email protected]>
Signed-off-by: Thomas Citharel <[email protected]>
tcitworld
force-pushed
the
certificate-manager-fallback
branch
from
ddb5f48 to
1171f3c
Compare
icewind1991
reviewed
Feb 9, 2024
|
|
||
| public function __construct( | ||
| protected View $view, | ||
| protected IConfig $config, | ||
| protected LoggerInterface $logger, | ||
| protected ISecureRandom $random, | ||
| protected IAppManager $appManager |
icewind1991
requested changes
Feb 9, 2024
| protected string $newRootPath; | ||
|
|
||
| public function __construct(protected View $view, protected IConfig $config) { | ||
| $this->newRootPath = $this->config->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data') . '/data/certificate_manager'; |
| } | ||
|
|
||
| protected function shouldRun(): bool { | ||
| return $this->view->file_exists($this->newRootPath . self::ROOT_CERTS_FILENAME); |
There was a problem hiding this comment.
this looks like it's missing a negation
This was referenced Mar 12, 2024
Merged
Merged
Merged
|
We are using S3 storage and see the SSL cert error due to not having |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
CertificateManager doesn't seem to work propertly if the
files_externalapp is disabled (the files get put in/tmpfor no reason I know of), so let's store directly in/data/certificate_managerthe bundled certificates. This always has to be done on local disk (even with primary ObjectStorage) as curl currently requires a path to the cert bundle.Another way of doing it would be directly using a file given by the
ITempManager, but it would need rebuilding the bundle and rewriting the file after each cron call. 😱When we require PHP 8.1 we will be able to simply store the certificate bundle in database/memory/cache and pass it through the
CURLOPT_SSLCERT_BLOBoption.TODO
Checklist