Machines administered by DSA have a custom setup for SSL verification.

By default, DSA-administered machines only trust CA certs that issue SSL certs for debian.org services.

Some services need to verify the SSL certs of arbitrary services on the Internet that could change their SSL provider at any point in time. For such software, DSA has provided /etc/ssl/ca-global, which contains all the certs trusted by ca-certificates.

Contents

  1. /etc/ssl/ca-global
    1. apt
    2. curl
    3. wget
    4. lynx
    5. git
    6. LWP
    7. php
    8. python-requests
    9. python-urllib
    10. python-httlib2
    11. rt-mailgate
    12. python-ldap / libldap
    13. users

/etc/ssl/ca-global

If your service needs this directory, you can use one of the below snippets for this purpose and please mention your service in the users section below.

apt

Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/ca-global/ca-certificates.crt";

curl

dir=/etc/ssl/ca-global
test -d $dir && capath="--capath $dir"
curl $capath

or 

file=/etc/ssl/ca-global/ca-certificates.crt
test -f $file && export CURL_CA_BUNDLE="$file"
curl

wget

dir=/etc/ssl/ca-global
test -d $dir && capath="--ca-directory=$dir"
wget $capath

lynx

dir=/etc/ssl/ca-global
test -d $dir && export SSL_CERT_DIR="$dir"
lynx

git

dir=/etc/ssl/ca-global
test -d $dir && git config --local --add http.sslCAInfo $dir/ca-certificates.crt

For an initial clone: 

dir=/etc/ssl/ca-global
test -d $dir && git -c http.sslCAInfo=$dir/ca-certificates.crt clone <URL>

and then also set the config persistently like above.

Alternatively, set GIT_SSL_CAINFO=/etc/ssl/ca-global/ca-certificates.crt.

LWP

my $ca_dir = '/etc/ssl/ca-global';
$ENV{PERL_LWP_SSL_CA_PATH} = $ca_dir if -d $ca_dir;

php

A stream context needs to be created defining the additional cert information. Various APIs can then consume that context. For example: 

$capath = '/etc/ssl/ca-global';
if (is_dir($capath)) {
    $context = stream_context_create(array('ssl' => array('capath' => $capath)));
    libxml_set_streams_context($context);
}
$xml = simplexml_load_file(…);

python-requests

bundle='/etc/ssl/ca-global/ca-certificates.crt'
if os.path.exists(bundle):
  requests.get('https://www.python.org/', verify=bundle)
else:
  requests.get('https://www.python.org/')

Or in the shell wrapper for the Python script: 

dir=/etc/ssl/ca-global
test -d $dir && REQUESTS_CA_BUNDLE=$dir/ca-certificates.crt

python-urllib

urllib in jessie and later verifies SSL certificates. 

ca_path = '/etc/ssl/ca-global'
if os.path.isdir(ca_path):
  context = ssl.create_default_context(capath=ca_path)
  data_file = urllib.urlopen("https://www.python.org/", context=context)
else:
  data_file = urllib.urlopen("https://www.python.org/")
data = data_file.read()

python-httlib2

This enables a per-connection workaround: 

bundle = '/etc/ssl/ca-global/ca-certificates.crt'
ca_certs = bundle if os.path.exists(bundle) else None
h = Http(ca_certs=ca_certs)

This enables a global workaround for the issue and thus will only be suitable in some circumstances and might not always be supported: 

bundle = '/etc/ssl/ca-global/ca-certificates.crt'
if os.path.exists(bundle):
  httplib2.CA_CERTS = bundle

rt-mailgate

rt-mailgate requires the bundle rather than the dir: 

dir=/etc/ssl/ca-global
test -d $dir && cafile="--ca-file $dir/ca-certificates.crt "
/usr/bin/rt-mailgate ... $cafile

python-ldap / libldap

ca_cert_file = "/etc/ssl/ca-global/ca-certificates.crt"
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file) (global)
or
connection.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file) (per connection)

users

---

CategorySystemAdministration | ?CategoryDebianInfrastructure