How to trust a CA system-wide?

fermino · April 11, 2025, 1:35pm

I have been trying to add a CA in one of my openwrt loosely following https://openwrt.org/docs/guide-user/services/tls/pki and have failed miserably

If I use curl and pass it a specific root ca, it works, but for some reason I cannot make it trusted by default. I'm definitely missing something but I haven't been able to find what, so any help is appreciated

Some logs:

# Hashes and certs. They are installed in the folder, not symlinked as the tutorial mentions.
root@ap-c7:~# ls -l /etc/ssl/certs | grep Olaiz
lrwxrwxrwx    1 root     root            15 Apr 11 00:55 67fd160b.0 -> OlaizRootCA.crt
lrwxrwxrwx    1 root     root            27 Apr 11 00:55 6d5d9b88.0 -> OlaizRootCAIntermediate.crt
-rw-r--r--    1 root     root           599 Apr 11 00:45 OlaizRootCA.crt
-rw-r--r--    1 root     root           721 Apr 11 00:53 OlaizRootCAIntermediate.crt

root@ap-c7:~# openssl x509 -hash -noout -in /etc/ssl/certs/OlaizRootCA.crt
67fd160b
root@ap-c7:~# openssl x509 -hash -noout -in /etc/ssl/certs/OlaizRootCAIntermediate.crt
6d5d9b88

# Just curl does not work
root@ap-c7:~# curl https://ca.home.fermino.me
curl: (60) mbedTLS: The certificate is not correctly signed by the trusted CA

More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

# Curl with the root CA works fine (ignore the 404, that's just ok)
root@ap-c7:~# curl --cacert /etc/ssl/certs/OlaizRootCA.crt  https://ca.home.fermino.me
404 page not found

# Curl with the intermediate does not work.
root@ap-c7:~# curl --cacert /etc/ssl/certs/OlaizRootCAIntermediate.crt  https://ca.home.fermino.me
curl: (60) mbedTLS: The certificate is not correctly signed by the trusted CA

More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

Thanks and kind regards!

_bernd · April 11, 2025, 2:17pm

Did you read it? Was it helpful?

fermino · April 11, 2025, 6:07pm

Yeap, and that's how I learned about the --cacert flag. It mentions that using the verbose flags one can find out what trust store is being used but when using it it doesn't add any meaningful messages.

Based on this link I'm guessing that mbedtls only uses a specific bundle file as the trust store, so that might be it.

In any case, it's kind of becoming an XY problem, as I'm just trying to test if the CA is trusted with curl. My original goal was to be able to request certificates through luci-app-acme using a custom acme server that is only signed by the CA it signs certificates for.

fermino · April 11, 2025, 6:17pm

Quick update: acme uses curl internally, so the issue applies.

fermino · April 11, 2025, 6:43pm

Well... Indeed. MbedTLS only uses /etc/ssl/certs/ca-certificates.crt as the trust store.

Appending my certificate to that file does the trick. One of the issues arising from this is that any update will break it, so I might end up scripting something to keep it updated. I've been trying to use libcurl-gnutls4 but haven't got around it yet.

root@ap-c7:~# cat /etc/ssl/certs/OlaizRootCA.crt >> /etc/ssl/certs/ca-certificates.crt 
root@ap-c7:~# curl https://ca.home.fermino.me
404 page not found

_bernd · April 11, 2025, 9:26pm

As far as I remember that's the same which or what happens on a Debian. You call the helper scripts to update the trust store and in the end all files are properly converted and placed in the right places and every cert is also echoed in one single file....

Thanks for tanking the time to share your findings!

fermino · April 15, 2025, 10:19am

Yeap, I've been looking at the ca-bundle/ca-certificates makefile and it does not provide a script, although updating the file is straightforward.

About curl, it is indeed compiled with the hardcoded path.

Thank you for your time!!

pattagghiu · April 21, 2025, 5:51pm

hello,
i'm also trying to get my openwrt to trust my custom ca and custom certs. I'm not sure i got your point @fermino . In debian i add che root ca cert, update certificates and all is ok. can't i do the same in openwrt?

_bernd · April 21, 2025, 8:07pm

@pattagghiu

Have a look at the makefile. It's the same in the end as with Debian. All certs are bundled aka concatenated into a single file.

Edit. Reply to thread and not to a post...

pattagghiu · April 22, 2025, 6:36am

does this means that basically every time there is an update of ca-certificates i need to concatenate manually my root ca cert to the ca-certificates.crt file? (probably this is what fermino was saying above..)
thanks

_bernd · April 22, 2025, 7:34am

Depends?
If you use "just" the default CA then you don't need to do anything cause you just get the complete file from the package update or installation.
But, if you want to add your other other 3rd party CA to the trust store, you have to add these CA and Certs to the trust store "manually".

Just to be sure you understand it: Even on debian the update helper script does notthing more. Yeah ok it will check file permissions and path and yadda yadda but in the end, every cert is just cated into a (large) single file. So no magic happens here.

fermino · April 23, 2025, 3:30pm

@pattagghiu as a side note: if you're aiming to monitor the package update to add your CA, based on the makefile I think you should be looking at ca-bundle. That's the one that provides /etc/ssl/certs/ca-certificates.crt.