Solved local pkg repo w/ TLS (via poudriere, nginx, and a smallstep CA (step-cli/step-certificates))

[jschmidt3786]

I feel like I have about 90% of this all working, but am failing one final(?) step.
I have a local CA jailed and running, all good. short-lived certs, automatic renewal.
I have poudriere jailed and running, works great.
I have nginx running in the poudriere jail, forcing 80=>443 redirects, serving up both the poudriere web interface and serving out packages.
With the CA's cert loaded into firefox's cert mgmt, the browser works as expected from my laptop.
With the CA's cert copied to `/etc/ssl/certs` and hashed via ln -s $CACERT "$(openssl x509 -noout -hash -in $CACERT)".0, openssl says I'm good:
openssl s_client -connect <pkg.host>:443 | grep -i -e verif
returns

<snip>
Verification: OK
    Verify return code: 0 (ok)

without symlinking the hash, that command errors out with

Verification error: unable to get local issuer certificate

so I think I'm on the right track.

BUT, long story short (too late!), `pkg` is not happy when pointed to the repo.
(note that it /does/ work when I turn off the forced TLS redirect and just use http)
/usr/local/etc/pkg/repos/local.conf looks like:

local: {
  url: "https://<local pkg host>/packages/${ABI}-latest-laptop",
  enabled: yes
}

Is there somewhere else I need to feed the CA cert for pkg?

 

[SirDice]

pkg(8) uses fetch(3), if the CA certificate has been added to the system's certificate store then I would expect this to work. Looking at your commands it doesn't look like the CA certificate was added to the CA bundle. In your case (because it's a self-signed certificate) it might be better to use SSL_CA_CERT_PATH.

HTTPS SCHEME
     Based on HTTP SCHEME.  By default the peer is verified using the CA
     bundle located in /usr/local/etc/ssl/cert.pem.  If this file does not
     exist, /etc/ssl/cert.pem is used instead.  If neither file exists, and
     SSL_CA_CERT_PATH has not been set, OpenSSL's default CA cert and path
     settings apply.  The certificate bundle can contain multiple CA
     certificates.  A common source of a current CA bundle is
     security/ca_root_nss.

From fetch(3)

 

[jschmidt3786]

Thanks so much for sending me down the correct path (pun slightly intended)!

I've been testing the client side of this on my laptop, which has ca_root_ns installed, and as you pointed out in the fetch manual, `/usr/local/etc/ssl/cert.pem` takes precedence when present.
What I had set up in /etc/ssl/ was actually working just fine on a fresh jail.
From now on, I'll populate `/usr/local/etc/ssl/cert.pem` on instantiation to cover all my bases.