# Configuring pkg and Calling poudriere Server with pkg Over HTTPS



## gladiola (Feb 23, 2020)

What are some of the key points to calling a poudriere server wtih pkg over HTTPS?

I set up a poudriere server that I'd like to call through a dynamic dns on a site that uses https with a cert from Let's Encrypt.  I notice that a lot of the pkg examples seem to be geared toward http.  When I try to use https as the protocol in the url property of the config file for the pkg repos, I end up with an authentication error.  This is alerting on the web server's cert; it's not alerting on the package signing key for poudriere.  When I set up for HTTP, the call times out in pkg.  When I look at fetch (in general), it seems like we could ask to turn https off; but, I'd like to get the authentication done.  Many of the examples have used certs generated by other means.  Since the Let's Encrypt cert works with a browser, I think I'd like to get pkg to use that one to verify the site.  

I consulted references like these:

https://www.digitalocean.com/commun...r-freebsd-servers#configuring-package-clients
https://www.freebsd.org/doc/handbook/pkgng-intro.html
https://www.freebsd.org/doc/en/books/porters-handbook/testing-poudriere.html
https://www.freebsd.org/cgi/man.cgi...opos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports
https://www.freebsd.org/cgi/man.cgi...opos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports
https://www.freebsd.org/cgi/man.cgi...opos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports
https://www.freebsd.org/cgi/man.cgi...opos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports
https://www.freebsd.org/cgi/man.cgi...opos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports
https://github.com/freebsd/poudriere/wiki/pkg_repos

In cases like this, would we be expected to import a copy of that cert to the calling client?  That seems a little much.  Is this what the "srv" and "fingerprint" options are for?  Is there a file I should derive from the PEM on the website cert to share with the calling client?  Do you have advice or a tutorial recommendation that could show how to set up pkg on the calling client?  Thanks.


----------



## Lamia (Feb 24, 2020)

Most Poudriere servers that I have come across run on http. That being said, the config in /usr/local/etc/pkg/repos/FILENAME.conf would contain the [full]chain certificate, which provides the needed security.


----------



## Lamia (Feb 24, 2020)

The certificate needs to be available in the client. I don't know of a better way to get it there than manually copying it. I have not seen a tutorial that gets it deployed in the client from Poudriere.


----------



## gladiola (Feb 24, 2020)

Thank you for your swift and direct advice.  I will apply this and report if it works.  It may be a couple days or a weekend before I get back to it.  Thanks.


----------



## rigoletto@ (Feb 24, 2020)

Slightly outdated but still OK, HERE.


----------



## gladiola (Feb 24, 2020)

rigoletto@ said:


> Slightly outdated but still OK, HERE.


Thank you, but that is the primary reference listed above.


----------



## gladiola (Feb 24, 2020)

We got from one error to the next.  By using that tutorial, I had started by using an HTTP site with the packages signed using a command like:

```
sudo openssl genrsa -out /usr/local/etc/ssl/keys/poudriere.key 4096
sudo openssl rsa -in /usr/local/etc/ssl/keys/poudriere.key -pubout -out /usr/local/etc/ssl/certs/poudriere.cert
```
And then calling it with poudriere by:

```
PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key
```

Later, we wanted to improve the website by installing a TLS cert.  We went to letsencrypt and installed the cert with certbot-py.  When the client called that site with pkg it would error out.

We didn't want to establish a practice that transferred a private key to the client.  So, we began by extracting a public key from the cert file and transferring that.  To extract the public key from the cert provided by letsencrypt, on the server, we used this reference:








						How to save public key from a certificate in .pem format
					

I am using the below openssl command for storing my public key into a .pem file.  openssl> x509 -in E:/mycert.pem -pubkey  -out E:/mypubkey.pem But when i try to use this command, it is storing...




					stackoverflow.com
				




```
openssl x509 -pubkey -noout -in cert.pem  > pubkey.pem
```

This carried us on to another verification error.

I was able to use this reference to clear a verification error:


			pkg upgrade: Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA – Dan Langille's Other Diary
		



```
pkg install ca_root_nss
```

As in Dan's blog, we were able to do a simple before and after test on the website cert and ca_root_nss install using the openssl client connect commands he provided like:

```
openssl s_client -connect SERVER_DOMAIN_NAME:443
```
Before we were getting an error code 20.  After, we were getting a 0.  We'll consider that verification problem somehow solved by the ca_root_nss installation.  The package description says that it provides, "Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird."  So, given Mozilla's association with Let's Encrypt, maybe that's how it allowed us to verify the cert. 

Another invalid signature error remained.  Notice that in the package repo signing key, we used a procedure that signed the packages with a key that probably was built to different specifications.  One key was generated locally on the poudriere server; the web cert is from someplace else.  This looks like the next problem to solve:  how do we clear the website's cert with one key and allow another signing key to be used for the package repo items during build?  Since the Let's Encrypt certs expire after a few months, this might be a question worth answering.

If our website cert problems were solved with that ca_root_nss, then it could be that the transferring the poudriere.cert and tying that into config file for that repo is the right answer.  We will try this soon.


----------



## SirDice (Feb 24, 2020)

Note that _signing_ packages has nothing to do with fetching packages over HTTPS, they are two different things. For HTTPS you just need to install a proper certificate on the webserver you use to share the repositories. 



gladiola said:


> When I try to use https as the protocol in the url property of the config file for the pkg repos, I end up with an authentication error.


You need security/ca_root_nss in order to verify SSL certificates signed by an internet root CA.


----------



## gladiola (Mar 6, 2020)

Sir Dice, you are correct as usual. Thanks for your help.


----------

