As a developer who works behind a firewall where the SSL traffic is inspected, I want hab to work with my own corporate cert.
Under linux environment, I am able to insert my own cert to get into a studio, by locating where the $HAB_STUDIOS/$studio_name/hab/cache/ssl/cert.pem. However, once I attempt to do a build, hab is setting the SSL context to cert.pem that is located in core/cacerts. I could overwrite this file after the first failure, but then this makes it tricky moving forward.
Diving deep, there are at least 3 spots where I see the cert.pem and cacerts.pem are getting stored.
$HAB_STUDIOS/$studio_name/hab/cache/ssl/cert.pem: This is required on first initial building of the studio, and is used to download all the necessary studio dependencies.$(pkg_path_for core/cacerts)/ssl/certs/cacert.pem/etc/ssl/certs/MYCOMPANY.pemOne would think that your build dependencies should assume what you have setup in your $HAB_STUDIOS but it looks like this feature is only specific to linux. And the commonality between mac and linux would be the use of core/cacerts package. So no more assumptions. It is interesting to see where certs are used all around and that it's literally everywhere.
I had to manually overwrite the files inside core/cacerts and hab was happy to continue downloading dependencies.
I wish there was an ability to allow companies to insert their own myorigin/cacerts to be used instead of the core/cacerts. This should probably get introduced when we start to build a studio.
ah okay something I didn't know, but export SSL_CERT_FILE=/path/to/your/company/cert.pem will allow you to override the default of resorting to core/cacerts within the studio.
This adds ability to install hab behind a firewall using the components/hab/install.sh script https://github.com/habitat-sh/habitat/pull/2597
This issue has come up in another environment.
We're trying to build in a CI job running on a Linux host. This host lives behind a firewall that's performing "transparent" SSL proxying. Nothing using only the public cacerts chain will succeed. Hab bits error, complaining about a self-signed cert (the one presented by the firewall).
export SSL_CERT_FILE=/path/to/your/company/certchain/totally-trust-the-corporate-man-in-the-middle.pem
Will allow curl to download the install script and the hab binary.
hab studio enter will succeed in downloading the bits necessary to enter the studio.
... but, dear reader, the environment within the studio
SSL_CERT_FILE environment variable set/path/to/your/company/certchain/totally-trust-the-corporate-man-in-the-middle.pem is not a file available within the studioOK. So, we cp /path/to/your/company/certchain/totally-trust-the-corporate-man-in-the-middle.pem ./ and _then_ enter the studio and _then_ export SSL_CERT_FILE=/src/totally-trust-the-corporate-man-in-the-middle.pem and _then_ the studio environment will trust connections out to the internet. We can download packages and crank out builds. Whoohoo!
hab studio build . ... "Nope, that's a self-signed cert."
Nuts. Right. The build is a clean environment. No SSL_CERT_FILE environment variable is passed in from the host to the studio. We've still got our copy of the totally-trust-the-corporate-man-in-the-middle.pem in the root of the source directory, so the file is available. But there is no env var set to point to it.
In the end, we had to add this less-than-ideal workaround to the CI script for each of the projects we wanted to build:
# set the trusted cert chain for the host
export SSL_CERT_FILE=/path/to/your/company/certchain/totally-trust-the-corporate-man-in-the-middle.pem
# copy the cert chain into the source directory being built
cp /path/to/your/company/certchain/totally-trust-the-corporate-man-in-the-middle.pem ./
# prepend trusting the copied cert chain to the plan itself, sorry about your version control!
echo -e "export SSL_CERT_FILE=/src/totally-trust-the-corporate-man-in-the-middle.pem\n$(cat plan.sh)" l> plan.sh
# now you can build it, god save your soul
hab studio build .
haha that almost sounds like what I had to do in my hab wrapper. There should be an easy way.
I _think_ I'd like for hab studio * commands to detect the presence of SSL_CERT_FILE being set on the host and if set:
SSL_CERT_FILE inside the studio session to that cached file pathI see hints in http-client/src/lib.rs about caching a certs.pem in the build of the http-client itself. I also see /hab/cache/ssl/cert.pem appear inside a studio. Are there code paths that can be updated to replace that cached cert.pem with a custom certs bundle when creating a studio?
That's a solution for the _build_ environment. If the _packaged services_ should be using that cert-chain, the cert.pem should _also_ get packaged up as muhcompany/ourcerts and packages set SSL_CERT_FILE={{pkgPathFor muhcompany/ourcerts}} in run hooks as appropriate.
@robbkidd the package muhcompany/ourcerts could be used as a build dependency to, couldn't it? I mean, I like a clear story for the CERT_SSL_FILE being picked up by the studio, but I don't see why for building it could not be included in the package itself as a dependency?
Nevermind x)
Sorry cat made me close. :X
After many of my colleagues kept running into this issue over and over, (granted I also had way too complicated SSL injection scripts), I took the time to start fresh and dig deep into this again.
Habitat is really simple to get setup when dealing in the face of corp certs.
SSL_CERT_FILE=/path/to/cert install.sh
SSL_CERT_FILE=/path/to/cert hab studio enter
export SSL_CERT_FILE=/path/to/cert
build /path/to/plan.sh
or
Place export SSL_CERT_FILE=/path/to/cert in your .studiorc file. Make sure the path you choose is within the perspective of /src.
For this to work, you can't really make use of the hab studio build, since you need to make sure you set the SSL_CERT_FILE environment variable inside the studio context. To get around that, you would do this:
SSL_CERT_FILE=/path/to/cert hab studio run "export SSL_CERT_FILE=/path/within/studio/to/cert && build /path/to/plan.sh"
Alternatively, you could source the .studiorc if you placed your SSL_CERT_FILE export in there, like so:
SSL_CERT_FILE=/path/to/cert hab studio run "source .studiorc && build /path/to/plan.sh"
So all this boils down to, if there is one thing that we can do to make hab great behind corp firewalls would be to implement what @robbkidd suggested:
I think I'd like for hab studio * commands to detect the presence of SSL_CERT_FILE being set on the host and if set:
- copy the file at that path to the hab cache that gets mounted into the studio
- set SSL_CERT_FILE inside the studio session to that cached file path
We have just hit this issue (two years later) after trying and failing to install Chef Automate v2, which in turn uses Habitat under the covers. Chef Automate must be squarely aimed at the Enterprise and it is surprising to find that we still have to use these work around steps in our process. We are reaching out to Chef to see if this really has not been resolved and there is no better alternative.
Most helpful comment
After many of my colleagues kept running into this issue over and over, (granted I also had way too complicated SSL injection scripts), I took the time to start fresh and dig deep into this again.
Habitat is really simple to get setup when dealing in the face of corp certs.
To install hab using the hab install.sh
To enter the hab studio the very first time
To make sure you can still build stuff within the studio
or
Place
export SSL_CERT_FILE=/path/to/certin your.studiorcfile. Make sure the path you choose is within the perspective of/src.To build stuff without entering the studio
For this to work, you can't really make use of the
hab studio build, since you need to make sure you set theSSL_CERT_FILEenvironment variable inside the studio context. To get around that, you would do this:Alternatively, you could source the
.studiorcif you placed yourSSL_CERT_FILEexport in there, like so:Feature Request
So all this boils down to, if there is one thing that we can do to make hab great behind corp firewalls would be to implement what @robbkidd suggested: