Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use our own CA for Imp as well? #271

Open
jernst opened this issue Jul 24, 2024 · 0 comments
Open

Use our own CA for Imp as well? #271

jernst opened this issue Jul 24, 2024 · 0 comments
Labels
later Not now, maybe some time in the future

Comments

@jernst
Copy link
Member

jernst commented Jul 24, 2024

From the "when your own code surprises you positively" department -- this department is rarely seen but it very occasionally makes an appearance:

I built this Registry thing which knows how to generate TLS certs with a local certificate authority, see https://github.com/jernst/feditest/blob/pr-generate-site-json/src/feditest/registry.py . For S2S tests on UBOS, the root cert needs to be in the system trust store so we don't have to figure out how to tell Mastodon and every app to run ignore certificate validity. I just wrote that code, and it also wants the Imp node to store that root cert! (I haven't done that yet.)

But that means we could get rid of insecure certs entirely by pointing the Imp to that extra source of trust. I am tempted to say we should do that.

We wouldn't have to mess with the trust store on the system that runs feditest, but could simply provide it as an extra trust source to the httpx client (which I assume can be done).
@jernst jernst added the later Not now, maybe some time in the future label Aug 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
later Not now, maybe some time in the future
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jernst