Skip to content

openvox 8x: document custom CA for HTTPS-inspecting proxies#241

Merged
tuxmea merged 5 commits into
OpenVoxProject:masterfrom
miharp:docs/ssl-custom-ca-proxy
May 23, 2026
Merged

openvox 8x: document custom CA for HTTPS-inspecting proxies#241
tuxmea merged 5 commits into
OpenVoxProject:masterfrom
miharp:docs/ssl-custom-ca-proxy

Conversation

@miharp
Copy link
Copy Markdown
Contributor

@miharp miharp commented May 22, 2026
edited
Loading

Summary

  • Adds a new doc page covering how to add a custom CA to OpenVox's vendored cert bundle for environments using HTTPS-inspecting proxies (Squid SSL Bump, etc.)
  • Explains why OpenVox ignores the OS trust store (it uses its own DEFAULT_CERT_FILE at /opt/puppetlabs/puppet/ssl/cert.pem and DEFAULT_CERT_DIR at /opt/puppetlabs/puppet/ssl/certs/)
  • Covers three approaches: certs/ + openssl rehash (recommended — survives upgrades), ssl_trust_store (module downloads only), and SSL_CERT_FILE with a merged bundle (universal, including gem installs and Windows)
  • Puppet management example: file + exec rehash for the certs/ approach, with a symlink variant for nodes where the cert is already deployed by puppet/trusted_ca
  • Adds nav entry under "SSL and certificates"

Motivation

Reported by a community member: gem installs and puppet module install fail behind Squid SSL Bump even when the proxy CA is in the system trust store.

Source verification

Claims verified against the OpenVox source:

  • OpenSSL::X509::DEFAULT_CERT_FILE = /opt/puppetlabs/puppet/ssl/cert.pem and DEFAULT_CERT_DIR = /opt/puppetlabs/puppet/ssl/certs/ confirmed on a live openvox-agent-8.27.0 install
  • puppet module install uses Puppet::SSL::SSLProvider#create_system_contextcreate_x509_store(include_system_store: true)store.set_default_paths, which respects both DEFAULT_CERT_FILE and DEFAULT_CERT_DIR (ssl_provider.rb:258)
  • ssl_trust_store scope confirmed via defaults.rb:1020 — applies to forge/https only, not gem subprocesses
  • puppet_gem provider runs gem as a subprocess (puppet_gem.rb), so only inherits SSL_CERT_FILE from the service environment

Test results

Tested on openvox-agent-8.27.0 (CentOS Stream 9, aarch64) via Vagrant. Generated a self-signed test CA, started a Python HTTPS server using that CA, and verified each approach:

=== TEST 1: Default cert.pem (should FAIL) ===
ERROR: OpenSSL::SSL::SSLError: certificate verify failed (unable to get local issuer certificate)

=== TEST 2: certs/ + openssl rehash ===
OK

=== TEST 3: SSL_CERT_FILE merged bundle ===
OK

=== TEST 4: Docs verification command ===
OK

Puppet file + exec rehash approach also verified — idempotent, hash symlink created, Ruby connects without SSL_CERT_FILE:

Notice: /File[...proxy-ca.pem]/ensure: defined content as '{sha256}cda6...'
Notice: /Exec[rehash-puppet-ssl-certs]: Triggered 'refresh' from 1 event
# second run:
Notice: Applied catalog in 0.02 seconds  ← no changes

Test plan

  • Review doc prose for accuracy
  • Confirm nav link resolves correctly on built site

@miharp miharp force-pushed the docs/ssl-custom-ca-proxy branch from 77b3492 to 623fa16 Compare May 22, 2026 15:18
Sharpie
Sharpie reviewed May 22, 2026
View reviewed changes
Comment thread docs/_openvox_8x/ssl_custom_ca_proxy.md
@miharp miharp marked this pull request as ready for review May 22, 2026 16:04
@miharp miharp requested a review from a team as a code owner May 22, 2026 16:04
@miharp miharp requested review from Sharpie and tuxmea May 22, 2026 16:04
miharp and others added 4 commits May 23, 2026 07:11
@miharp @claude
openvox 8x: document custom CA for HTTPS-inspecting proxies
4321230 
Add a new page covering how to add a proxy CA to OpenVox's vendored
cert bundle so that gem installs and puppet module installs work
behind Squid SSL Bump and similar intercepting proxies.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Michael Harp <mike@mikeharp.com>
@miharp @claude
openvox 8x: incorporate review feedback on custom CA proxy doc
002087f 
- Promote certs/+rehash as the preferred quick fix (survives upgrades,
  no environment variable management needed) per Sharpie's review
- Note Windows caveat for openssl rehash
- Update Puppet example to lead with file+exec rehash; keep concat
  approach as the SSL_CERT_FILE alternative
- Retain direct cert.pem append as a one-liner fallback

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Michael Harp <mike@mikeharp.com>
@miharp @claude
openvox 8x: remove concat approach from managing-with-puppet section
2b789aa 
The certs/+rehash file+exec example covers the recommended approach
without needing an extra module dependency. SSL_CERT_FILE manual steps
remain documented for Windows edge cases.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Michael Harp <mike@mikeharp.com>
@miharp @claude
openvox 8x: add symlink alternative for certs/ approach
964db7b 
Add ln -s as an integration pattern in the Puppet section for nodes
where the CA is already deployed by puppet/trusted_ca into the OS
trust store. Remove symlink from the manual quick fix section — cp
is simpler when deploying the cert fresh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Michael Harp <mike@mikeharp.com>
@miharp miharp force-pushed the docs/ssl-custom-ca-proxy branch from 70d70db to 964db7b Compare May 23, 2026 11:11
@tuxmea tuxmea mentioned this pull request May 23, 2026
Closed
@tuxmea tuxmea merged commit 4bfbe87 into OpenVoxProject:master May 23, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sharpie Sharpie Awaiting requested review from Sharpie

@tuxmea tuxmea Awaiting requested review from tuxmea

1 more reviewer

@maxadamo maxadamo maxadamo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@miharp @Sharpie @tuxmea @maxadamo