Stop overwriting cacert.pem on update or use the distro CA certs

telefunken · April 21, 2024, 1:17pm

Not sure whether to post this under feature requests or installation issues but here it goes.

Could you please stop overwriting the cacerts.pem file which is in the package? Or better yet, use the CA Certs provided by the distro?

This would be great for us who run their own root CA not having to re-add the whole chain every time an update is preformed.

diego · April 24, 2024, 6:37am

Hi @telefunken

Could you give a bit more context? In which scenario this happens to you? Which distribution and which cacert.pem file is getting modified (specific path). That would help us to identify faster a possible fix.

telefunken · April 24, 2024, 10:01pm

Took me a while to figure Passbolt doesn’t use the distro certificates.

The full path is as follows:
/usr/share/php/passbolt/vendor/composer/ca-bundle/res

The pem file at that location is used by the SMTP package to validate against the server. Since passbolt has strict SSL enabled it fails if the root CA is invalid and thus mails don’t work.

The pem file gets overwritten with every update, or I presume it’s with the updates because every once in a while the pem file reverts back to the one in the package.

diego · April 25, 2024, 12:00pm

Hey,

The path you are providing is part of the vendored libraries. The ca-bundle dependency composer/ca-bundle - Packagist tries to find a CA on your system, if unable to find a CA it will fallback to the bundled one you are linking. Such fallback cacert.pem is not under passbolt control.

We’ll investigate a bit more why the library is not detecting your CAs.

Could you provide to us the path of your CA’s and which distro are you using?

telefunken · April 25, 2024, 1:43pm

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy

dpkg -l ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name            Version                 Architecture Description
+++-===============-=======================-============-=================================
ii  ca-certificates 20230311ubuntu0.22.04.1 all          Common CA certificates

/etc/ssl/certs

ls  -la
total 840
Forum won't let me post a list this long, total 840 certificates

ls -la cacert.pem
-rw-r--r-- 1 root root 228292 Apr 25 15:36 cacert.pem

ls -la ca-certificates.crt
-rw-r--r-- 1 root root 210153 Apr  6 16:46 ca-certificates.crt

diego · April 25, 2024, 1:51pm

Thanks!

If I understood it correctly you would like to use /etc/ssl/certs/cacert.pem instead of the one located in /usr/share/php/passbolt/vendor/composer/ca-bundle/res, right?

telefunken · April 25, 2024, 2:19pm

Yes that is true. Strange that it doesn’t detect the location automatically because it is the default folder for lots of distro’s.

I didn’t do anything out of the ordinary, this is an Ubuntu machine running in a VM. I just installed the ISO, did some minor updating and configuring and then installed Boltpass.

Nothing special.

What locations does the package check?

ishan · April 26, 2024, 9:56am

Hey @telefunken, we have created a ticket (internal ref. PB-33174) to investigate this problem.

ishan · May 27, 2024, 12:52pm

Hey @telefunken, can you let us know which particular functionality doesn’t work because of this override?

If it’s SMTP, we have added ability to specify custom SSL/TLS certificate with the v4.8.0 release.

ishan · July 8, 2024, 11:32am

Hey @telefunken, just following up on this if you are still facing the problem. Feel free to reply here or DM me if you need further assistance.