Solved Calling Go developers...

Basil Hendroff · Nov 25, 2021

SOLVED - Calling on Go developers...

Up until quite recently, the FreeBSD trust store has been in disarray. @jgreco is facilitating a discussion on the impact of this in the thread SSL certificate problem: certificate has expired -- the OpenSSL 1.0.2 vs LetsEncrypt issue. The FreeBSD bug report #160387 - security/ca_root_nss...

www.truenas.com

Basil Hendroff · Nov 27, 2021

A HUGE thank you to qiu3344 for responding to the plea for a Go developer to help resolve the FreeBSD trust store issue within SmallStep. qiu3344 stepped up to the plate and unselfishly contributed their expertise and time to bring closure to this issue, Around 100 lines of Go code were added in a pull request. The fix should find its way in a future release of SmallStep and Caddy. Anybody who uses these products on FreeBSD, and its derivatives such as TrueNAS, for private PKI certificate lifecycle management, owes qiu3344 a debt of gratitude for their contribution in making these products fully functional on more recent FreeBSD versions.

rdog · Sunday at 10:14 PM

Just leaving a trail here for other people who try to run caddy (jailed, though that would not matter here mostly) as www user (as advised by the rc notes): the automatic local cert provisioning has some nits:

1) Need to mkdir /usr/local/etc/ssl/certs and chown it to www. This will let caddy (or more specifically, the smallstep lib) write the local root CA.
2) As caddy runs www, when smallstep would execute `certctl rehash`, latter would fail since www can't write the required paths*. As a workaround can certctl rehash manually.

*truststore tries sudo if it exists, that I think would fail a bit differently. See https://github.com/smallstep/truststore/blob/master/truststore_freebsd.go .

Also, don't forget to set `debug true` global option in the Caddyfile to see where did it stuck.

Solved Calling Go developers...

Basil Hendroff

SOLVED - Calling on Go developers...

Basil Hendroff

rdog