What CA list is used?

[opoplawski]

I'm trying to connect to our opensearch server with HTTPS, but I must set

    disable-certificate-check: true

because:

2022-08-04 10:58:05  WARN evebox::server::main: Failed to get Elasticsearch version, will try again: Reqwest(reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("FQDN")), port: Some(9200), path: "/", query: None, fragment: None }, source: hyper::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificateData("invalid peer certificate: UnknownIssuer") } }) })

Which is strange because the Issuer CA is in the standard location. What CA list is used by evebox?
Installed 0.15.0 via RPM on AlmaLinux 8.6.

[jasonish]

The webpki_roots Rust crate is used by Rustls, the TLS implementation used in EveBox. I've tested against my own Letsencrypt TLS cert and its fine. This corresponds to the trusted certs used by Firefox.

Are you placing your own CA somewhere and hoping for it to be picked up?

[opoplawski]

The CA certs are installed into /etc/pki/ca-trust/source/anchors/ and update-ca-trust is run to update /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem which is the OS system trust file. Running evebox under strace I see no evidence of it looking for any CA trust file. We will need a way to point rusttls to the system CA root certs. Note that using this by default is what I would expect from an RPM install.

[jasonish]

If you get a chance, could you test the latest development build from https://evebox.org/files/development/, I think I have fix this issue.

The binary release https://evebox.org/files/development/evebox-latest-linux-x64.zip is a straigt up static binary that can be tested standalone with your config files.

[opoplawski]

That seems to do the trick, thanks!