Pleroma federation issues with self-signed certs in local dev env
My goal here was to build a completely private / isolated dev environment for testing federation and features without needing to run any public instances with a webserver, using LetsEncrypt, etc etc.
The following patch is what I used to ensure it works with self-signed certs on reserved TLDs. It disables certificate validation for Gun and uses a branch of Linkify that supports the TLDs lan, local, and localdomain. This works fine. (I'd like this to be a setting that only works with MIX_ENV=dev
or something)
diff --git a/lib/pleroma/gun/conn.ex b/lib/pleroma/gun/conn.ex
index a56625699..4f4ba532e 100644
--- a/lib/pleroma/gun/conn.ex
+++ b/lib/pleroma/gun/conn.ex
@@ -24,12 +24,8 @@ defmodule Pleroma.Gun.Conn do
defp maybe_add_tls_opts(opts, %URI{scheme: "https"}) do
tls_opts = [
- verify: :verify_peer,
- cacertfile: CAStore.file_path(),
- depth: 20,
- reuse_sessions: false,
- log_level: :warning,
- customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]
+ verify: :verify_none,
+ log_level: :warning
]
tls_opts =
diff --git a/lib/pleroma/http/adapter_helper/gun.ex b/lib/pleroma/http/adapter_helper/gun.ex
index 82c7fd654..f9fd7b221 100644
--- a/lib/pleroma/http/adapter_helper/gun.ex
+++ b/lib/pleroma/http/adapter_helper/gun.ex
@@ -37,7 +37,7 @@ defmodule Pleroma.HTTP.AdapterHelper.Gun do
defp add_scheme_opts(opts, %{scheme: "http"}), do: opts
defp add_scheme_opts(opts, %{scheme: "https"}) do
- Keyword.put(opts, :certificates_verification, true)
+ Keyword.put(opts, :certificates_verification, false)
end
defp put_timeout(opts) do
diff --git a/lib/pleroma/tesla/middleware/connection_pool.ex b/lib/pleroma/tesla/middleware/connection_pool.ex
index 906706d39..886995d87 100644
--- a/lib/pleroma/tesla/middleware/connection_pool.ex
+++ b/lib/pleroma/tesla/middleware/connection_pool.ex
@@ -24,7 +24,7 @@ defmodule Pleroma.Tesla.Middleware.ConnectionPool do
case ConnectionPool.get_conn(uri, opts[:adapter]) do
{:ok, conn_pid} ->
- adapter_opts = Keyword.merge(opts[:adapter], conn: conn_pid, close_conn: false)
+ adapter_opts = Keyword.merge(opts[:adapter], conn: conn_pid, close_conn: false, certificates_verification: false)
opts = Keyword.put(opts, :adapter, adapter_opts)
env = %{env | opts: opts}
diff --git a/mix.exs b/mix.exs
index 50d4b4080..f8974060e 100644
--- a/mix.exs
+++ b/mix.exs
@@ -157,7 +157,7 @@ defmodule Pleroma.Mixfile do
{:floki, "~> 0.27"},
{:timex, "~> 3.6"},
{:ueberauth, "~> 0.4"},
- {:linkify, "~> 0.4.1"},
+ {:linkify, git: "https://git.pleroma.social/pleroma/elixir-libraries/linkify.git", ref: "a365ccf7eb0451718666b733636ad435b9afcce6"},
{:http_signatures, "~> 0.1.0"},
{:telemetry, "~> 0.3"},
{:poolboy, "~> 1.5"},
diff --git a/mix.lock b/mix.lock
index 3e5631c72..05eac22e2 100644
--- a/mix.lock
+++ b/mix.lock
@@ -65,7 +65,7 @@
"jose": {:hex, :jose, "1.10.1", "16d8e460dae7203c6d1efa3f277e25b5af8b659febfc2f2eb4bacf87f128b80a", [:mix, :rebar3], [], "hexpm", "3c7ddc8a9394b92891db7c2771da94bf819834a1a4c92e30857b7d582e2f8257"},
"jumper": {:hex, :jumper, "1.0.1", "3c00542ef1a83532b72269fab9f0f0c82bf23a35e27d278bfd9ed0865cecabff", [:mix], [], "hexpm", "318c59078ac220e966d27af3646026db9b5a5e6703cb2aa3e26bcfaba65b7433"},
"libring": {:hex, :libring, "1.4.0", "41246ba2f3fbc76b3971f6bce83119dfec1eee17e977a48d8a9cfaaf58c2a8d6", [:mix], [], "hexpm"},
- "linkify": {:hex, :linkify, "0.4.1", "f881eb3429ae88010cf736e6fb3eed406c187bcdd544902ec937496636b7c7b3", [:mix], [], "hexpm", "ce98693f54ae9ace59f2f7a8aed3de2ef311381a8ce7794804bd75484c371dda"},
+ "linkify": {:git, "https://git.pleroma.social/pleroma/elixir-libraries/linkify.git", "a365ccf7eb0451718666b733636ad435b9afcce6", [ref: "a365ccf7eb0451718666b733636ad435b9afcce6"]},
"majic": {:git, "https://git.pleroma.social/pleroma/elixir-libraries/majic.git", "289cda1b6d0d70ccb2ba508a2b0bd24638db2880", [ref: "289cda1b6d0d70ccb2ba508a2b0bd24638db2880"]},
"makeup": {:hex, :makeup, "1.0.3", "e339e2f766d12e7260e6672dd4047405963c5ec99661abdc432e6ec67d29ef95", [:mix], [{:nimble_parsec, "~> 0.5", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "2e9b4996d11832947731f7608fed7ad2f9443011b3b479ae288011265cdd3dad"},
"makeup_elixir": {:hex, :makeup_elixir, "0.14.1", "4f0e96847c63c17841d42c08107405a005a2680eb9c7ccadfd757bd31dabccfb", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm", "f2438b1a80eaec9ede832b5c41cd4f373b38fd7aa33e3b22d9db79e640cbde11"},
I generated self-signed certs like this:
mix phx.gen.cert -n mac-mini.lan mac-mini mac-mini.lan
This ensures the CN=mac-mini.lan and also adds two SAN entries for mac-mini and mac-mini.lan. All good here.
Config looked like this:
config :pleroma, Pleroma.Web.Endpoint,
url: [host: "Mac-mini.lan"],
http: [
port: 4000
],
https: [
port: 443,
cipher_suite: :strong,
keyfile: "priv/cert/selfsigned_key.pem",
certfile: "priv/cert/selfsigned.pem"
]
config :tesla, adapter: Tesla.Adapter.Gun
Now, my two instances on separate machines are dev.lan
and mac-mini.lan
. I can fetch messages with search, I see the user profiles, and I can @mention and reply back and forth.
However, Follow Requests are broken and Chat doesn't work. So something else is wrong.
edit: video attached instead of screenshot