Httpclient and Microsoft root CA

alcina · October 11, 2013, 10:59pm

Really need some direction in getting a solution working. I am using
the WinRM ruby gem to invoke commands to Windows boxes over WinRM from
Linux servers. This is our requirement.

We will be making those WinRM calls over SSL. The WinRM gem requires
the httpclient gem. This is where I’m running into trouble. When I
make my WinRM call using SSL, the call fails with the following:

`connect’: SSL_connect returned=1errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

This is because the httpclient uses a provided trust anchor (cacert.p7s)
that trusts some CAs. Obviously it doesn’t trust my internal Microsoft
root CA, but I need it to. My Windows boxes that will have commands run
against they have a certificate from our Microsoft CA. I just can’t
figure out how to “fix” httpclient to trust my root CA.

What I’m looking for is some code example from someone successfully
doing something like this, not necessarily from a Microsoft CA but
successfully changing the anchor trust because I can’t figure out how to
do it myself. I am a relative ruby noob unfortunately so the
documentation in the httpclient is over my head as far as how to change
the code. I have an exported certificate chain ready to go, I just
don’t know how to get it to use mine instead of the provided trust
anchor. Desperate for any guidance here. Thanks!

beachguy82 · October 11, 2013, 11:51pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Charlie,

I haven’t actually used the WinRM gem before, but I’m hopeful that
this might be of some use in getting you started:

As you rightly observe, cacert.p7s is the default for HTTPClient.
Quoting from
http://www.ruby-doc.org/gems/docs/h/httpclient-xaop-2.1.6/HTTPClient/SSLConfig.html
:

‘cacert.p7s’ is automatically generated from JDK 1.6.
You may want to change trust anchor by yourself. Call
#clear_cert_store then #set_trust_ca for that purpose.

This #set_trust_ca appears to be exposed already in
WinRM::HTTP::HttpSSL, where it is an optional parameter in
#initialize.
(WinRM/lib/winrm/http/transport.rb at master · WinRb/WinRM · GitHub,
line 79)

Matching this parameter position in the call to
WinRM::HTTP::HttpSSl.new is an optional parameter called
opts[:ca_trust_path].
(https://github.com/WinRb/WinRM/blob/master/lib/winrm/winrm_service.rb,
line
49)

Although with a different name to that in HTTPClient, it would appear
that this option is what you seek. The WinRM README gives instructions
for the use of this option with SSL. Quoting from
GitHub - WinRb/WinRM: Ruby library for Windows Remote Management :

## Specifying CA path
WinRM::WinRMWebService.new(endpoint, :ssl,
    :user => myuser, :pass => mypass,
    :ca_trust_path => '/etc/ssl/certs/cert.pem',
    :basic_auth_only => true)

where /etc/ssl/certs/cert.pem is the path to your certificate.

As I say, I haven’t actually used WinRM, so it could be that someone
else is better placed to give you more specific advice. I hope that
this is of assistance, however.

Peace,
tiredpixel

On 11/10/2013 21:59, Charlie B. wrote:

certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
Microsoft CA but successfully changing the anchor trust because I
can’t figure out how to do it myself. I am a relative ruby noob
unfortunately so the documentation in the httpclient is over my
head as far as how to change the code. I have an exported
certificate chain ready to go, I just don’t know how to get it to
use mine instead of the provided trust anchor. Desperate for any
guidance here. Thanks!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSWHK+AAoJEOFolTkanF7VXPwH/RvXvobqS46jFpfzpOxfeKzu
u5fLSZ+AuroPP0PqZz3mYGQdIkBbv7lajJDlAjk8fGqN9i22SFnw+PuZisMpCkE9
eyiiBVpsAmhs+TGFKdytLq455VI8zsvnAuWQXUFjHENzOlKjMdZNiolHB8KySqBz
66huscSR/iPk0fkH2zRNhpjxwzleD2M99b/Ktbs1EyUzp69Y8v7dvYQ+kcYyTjfI
NVg3jzKfGv0ISjEwqmKxk1RScGT2FSZZYfPQ6jdwenlu/P5wMoDJi83R+aeVjpgq
5wQvbzLgJiygFJqEhXpM9Ec053UwZ+s2ujn4PL9mJKrt8CicLq2DKdyajv+eens=
=UOwo
-----END PGP SIGNATURE-----