Not compatible with FreeBSD

[Cubox]

There is no code to handle FreeBSD.

FreeBSD stores certificates in /usr/local/etc/ssl.
The port security/p11-kit provides the trust utility

[maraino]

@Cubox- Thanks for filling the issue, if you want to provide a PR I'll merge it, and integrate it into step.

[Cubox]

Will try. In the meantime, are those functions being used for anything outside of the cli command truststore?
Would having the functions do nothing and letting the whole thing compile work?

[maraino]

We're only using it for step certificate install, as a first pass having the functions returning a non implemented error would be ok.

[maraino]

You can try that with this build constraint

// +build !linux,!darwin,!windows

That will make it work for other OS too.

[maraino]

@Cubox- I've just committed a file that will make the compilation possible
https://github.com/smallstep/truststore/blob/master/truststore_others.go

FreeBSD support is still pending, so I'll keep this issue open

[mholt]

@Cubox- Is this still something you're working on? We (the Caddy project) have started seeing requests for this too and we think it'd be a great contribution 😃

[Cubox]

@mholt no sorry

[mholt]

That's alright, just wanted to check in! 👌

[basilhendroff]

'Trust store unsupported' Issue surfaces in the FreeBSD port of step-ca smallstep/certificates#572 and the Caddy internal CA (based on the Smallstep libraries) https://caddy.community/t/unresolved-mtls-under-freebsd/12364

[maraino]

This was totally lost, added to the triage meeting.

[basilhendroff]

I have some info that may be useful. This is in relation to the Caddy internal CA, but will probably be relevant to the Smallstep CA as well. Full details in this Caddy forum post forward https://caddy.community/t/mtls-under-freebsd-is-now-working/12364/47. TLDR the short version...

This is what I was seeing in the Caddy console log:

{"level":"warn","ts":"2021-05-10T21:41:57.225+0800","logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
2021/05/10 21:41:57 Note: NSS support is not available on your platform
2021/05/10 21:41:57 define JAVA_HOME environment variable to use the Java trust
{"level":"error","ts":"2021-05-10T21:41:57.226+0800","logger":"pki.ca.local","msg":"failed to install root certificate","error":"trust not supported","certificate_file":"storage:pki/authorities/local/root.crt"}

I then executed the following command....

root@caddy:~ # cat /.local/share/caddy/pki/authorities/local/root.crt >> /usr/local/share/certs/ca-root-nss.crt

Restarting Caddy, the internal CA now works. The console log shows the following...

{"level":"info","ts":"2021-05-20T13:13:20.993+0800","logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}

Don't get too excited though. The 'solution' is semi-permanent at best. The internal CA breaks if the ca_root_nss package on FreeBSD is updated. To fix it, it’s necessary to append root.crt to ca-root-nss.crt again. For reasons described in the bug report Bug 160387 - security/ca_root_nss: Allow user to trust extra local certificates, a permanent solution is unlikely to be forthcoming.

A second issue to contend with is the location of root.crt. It will depend on how Caddy is started and appears to be tied to the HOME environmental variable. More details in the above linked Caddy forum thread.

[francislavoie]

@basilhendroff Digging a bit more in FreeBSD bug tickets, there was apparently a certctl tool added which seems to support managing root certs in the trust store (also supporting a blacklist for example). It seems like putting the smallstep root cert into a particular location then running certctl rehash might do it? Could you look into this? See https://www.freebsd.org/cgi/man.cgi?query=certctl&apropos=0&sektion=0&manpath=FreeBSD+11.4-stable&arch=default&format=html

Also an interesting development, Go made a change regarding the location of the trust store a few days ago which should land in the next version of Go, i.e. version 1.17: golang/go#46284. This might also help. I guess this is all meant to land in FreeBSD 12.2?

I don't follow FreeBSD progress, so you may understand this better, but I'm hoping this might help push this in the right direction.

[basilhendroff]

@francislavoie My reading is that the certctl utility manages the list of TLS Certificate Authorities that are trusted by applications that use OpenSSL. I think it replaces what I tried in this Caddy forum post with the openssl rehash command.

As I understand it, Caddy doesn’t currently use OpenSSL - it uses the implementation of crypto from the Go standard library. With the proposed Go change, my interpretation is that Go intends to support OpenSSL. If you follow the link golang/go#46284., it does reference certctl. If that be the case, there is a mechanism to reliably add extra certificates using certctl.

[francislavoie]

With the proposed Go change, my interpretation is that Go intends to support OpenSSL.

Not quite, it just adds another file location from which it would load trust (this new one being preferred first if it exists). Still uses Go's crypto implementation.

The change is merged in Go, and will be released in Go 1.17 (and Caddy would just need to be built using that version of Go to get it to work). Actually, you might be able to build Caddy with a nightly/prerelease version of Go, to test out that Caddy reads trust from that new location.

[basilhendroff]

Okay, it appears we now have a way forward. certctl is a new certificate manager for FreeBSD 12.2 and later versions. It's unlikely this will be backported to earlier FreeBSD versions, which still rely on the method described in the OP. High-level steps:

1. Check for FreeBSD 12.2 or later.
2. Add the cert to TRUSTPATH (details in the certctl manual. I tested with /usr/local/etc/ssl/certs as this path doesn't appear to exist by default).
3. Run certctl rehash. Symbolic links to trusted certs are placed in the trust store at CERTDESTDIR (/etc/ssl/cert).

Detailed testing to confirm that this approach works can be viewed here.

[maraino]

@basilhendroff If you can send us a PR defining this for FreeBSD, I'll merge it

truststore/truststore_others.go

Lines 7 to 21 in 23dd882

	var (
	// NSSProfile is the path of the Firefox profiles.
	NSSProfile = ""
	// CertutilInstallHelp is the command to add NSS support.
	CertutilInstallHelp = ""
	)
	func installPlatform(filename string, cert *x509.Certificate) error {
	return ErrTrustNotSupported
	}
	func uninstallPlatform(filename string, cert *x509.Certificate) error {
	return ErrTrustNotSupported
	}

[basilhendroff]

@maraino Unfortunately, I'm not a developer so I'm unable to take this further. I've sounded out the TrueNAS community in the thread Calling on Go developers... for a Go developer with FreeBSD expertise to help bring some closure to this issue.

EDIT: I've cast the net further afield to the FreeBSD community Calling Go developers...

[basilhendroff]

A HUGE thank you to @qiu3344 from the FreeBSD community for responding to the plea for a Go developer to help resolve the FreeBSD trust store issue within SmallStep. @qiu3344 stepped up to the plate and unselfishly contributed their expertise and time to bring closure to this issue, Around 100 lines of Go code were added in a pull request. The fix should find its way in a future release of SmallStep and Caddy. Anybody who uses these products on FreeBSD, and its derivatives such as TrueNAS, for private PKI certificate lifecycle management, owes @qiu3344 a debt of gratitude for their contribution in making these products fully functional on more recent FreeBSD versions.

[francislavoie]

@maraino if you could give me a heads up when the releases are tagged, that'd be greatly appreciated 😄

Edit: Thanks! caddyserver/caddy#4453