Stop overwriting cacert.pem on update or use the distro CA certs

Not sure whether to post this under feature requests or installation issues but here it goes.

Could you please stop overwriting the cacerts.pem file which is in the package? Or better yet, use the CA Certs provided by the distro?

This would be great for us who run their own root CA not having to re-add the whole chain every time an update is preformed.

Hi @telefunken

Could you give a bit more context? In which scenario this happens to you? Which distribution and which cacert.pem file is getting modified (specific path). That would help us to identify faster a possible fix.

Took me a while to figure Passbolt doesn’t use the distro certificates.

The full path is as follows:
/usr/share/php/passbolt/vendor/composer/ca-bundle/res

The pem file at that location is used by the SMTP package to validate against the server. Since passbolt has strict SSL enabled it fails if the root CA is invalid and thus mails don’t work.

The pem file gets overwritten with every update, or I presume it’s with the updates because every once in a while the pem file reverts back to the one in the package.

Hey,

The path you are providing is part of the vendored libraries. The ca-bundle dependency composer/ca-bundle - Packagist tries to find a CA on your system, if unable to find a CA it will fallback to the bundled one you are linking. Such fallback cacert.pem is not under passbolt control.

We’ll investigate a bit more why the library is not detecting your CAs.

Could you provide to us the path of your CA’s and which distro are you using?

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy
dpkg -l ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name            Version                 Architecture Description
+++-===============-=======================-============-=================================
ii  ca-certificates 20230311ubuntu0.22.04.1 all          Common CA certificates

/etc/ssl/certs

ls  -la
total 840
Forum won't let me post a list this long, total 840 certificates
ls -la cacert.pem
-rw-r--r-- 1 root root 228292 Apr 25 15:36 cacert.pem
ls -la ca-certificates.crt
-rw-r--r-- 1 root root 210153 Apr  6 16:46 ca-certificates.crt

Thanks!

If I understood it correctly you would like to use /etc/ssl/certs/cacert.pem instead of the one located in /usr/share/php/passbolt/vendor/composer/ca-bundle/res, right?

Yes that is true. Strange that it doesn’t detect the location automatically because it is the default folder for lots of distro’s.

I didn’t do anything out of the ordinary, this is an Ubuntu machine running in a VM. I just installed the ISO, did some minor updating and configuring and then installed Boltpass.

Nothing special.

What locations does the package check?

Hey @telefunken, we have created a ticket (internal ref. PB-33174) to investigate this problem.

Hey @telefunken, can you let us know which particular functionality doesn’t work because of this override?

If it’s SMTP, we have added ability to specify custom SSL/TLS certificate with the v4.8.0 release.