Conversation
tcitworld
requested review from
a team,
ArtificialOwl,
blizzz and
icewind1991
and removed request for
a team
tcitworld
force-pushed
the
certificate-manager-fallback
branch
from
6c746cf to
16c418e
Compare
|
Once upon a time, the whole logic was in files_external, iirc, as it started to with the support of custom CAs against file serves. |
|
The path (and data) will be different when switching on or off files_external, right. That's a little unpredictable and confusing. When going to a different location, go fully there, and do a migration of the old data, if existing. |
|
I can do that, yeah. I was wondering if there was a special reason of using |
tcitworld
force-pushed
the
certificate-manager-fallback
branch
from
16c418e to
ddb5f48
Compare
…rnal to data CertificateManager doesn't work propertly if the files_external app is disabled, so let's store directly in /data/certificate_manager the bundled certificates. This always has to be done on local disk as curl currently requires a path to the cert bundle. When we require PHP 8.1 we will be able to simply store the certificate bundle in database/memory/cache and pass it through the CURLOPT_SSLCERT_BLOB option. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
tcitworld
force-pushed
the
certificate-manager-fallback
branch
from
ddb5f48 to
1171f3c
Compare
| protected IConfig $config, | ||
| protected LoggerInterface $logger, | ||
| protected ISecureRandom $random, | ||
| protected IAppManager $appManager |
icewind1991
left a comment
icewind1991
left a comment
There was a problem hiding this comment.
The current logic still goes through the NC fs instead of always storing the bundle on disk but your PR description implies this wouldn't be the case anymore
| protected string $newRootPath; | ||
|
|
||
| public function __construct(protected View $view, protected IConfig $config) { | ||
| $this->newRootPath = $this->config->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data') . '/data/certificate_manager'; |
| } | ||
|
|
||
| protected function shouldRun(): bool { | ||
| return $this->view->file_exists($this->newRootPath . self::ROOT_CERTS_FILENAME); |
There was a problem hiding this comment.
this looks like it's missing a negation
|
We are using S3 storage and see the SSL cert error due to not having |
5 participants
Summary
CertificateManager doesn't seem to work propertly if the
files_externalapp is disabled (the files get put in/tmpfor no reason I know of), so let's store directly in/data/certificate_managerthe bundled certificates. This always has to be done on local disk (even with primary ObjectStorage) as curl currently requires a path to the cert bundle.Another way of doing it would be directly using a file given by the
ITempManager, but it would need rebuilding the bundle and rewriting the file after each cron call. 😱When we require PHP 8.1 we will be able to simply store the certificate bundle in database/memory/cache and pass it through the
CURLOPT_SSLCERT_BLOBoption.TODO
Checklist