gitserver: Setting tls.external.certificates clobbers system Certificate Authorities

[sfllaw]

• Sourcegraph version: 3.40.0
• Platform information: sourcegraph/deploy-sourcegraph@v3.40.0

Steps to reproduce:

1. Host GitHub Enterprise Server with a TLS certificate that is issued by an internal Certificate Authority.
2. Configure two GitHub code hosts, one for the public GitHub.com and another for your GitHub Enterprise Server:

   "GITHUB": [
     {
       "url": "https://github.com",
       "token": "REDACTED",
       "orgs": ["sourcegraph"]
     },
     {
       "url": "https://github.internal",
       "token": "REDACTED",
       "orgs": ["sourcegraph"]
     }
   ]

3. Add the internal CA’s certificate to Sourcegraph’s site configuration under experimentalFeatures, so gitserver can connect to github.internal:

   "experimentalFeatures": {
     "tls.external": {
       "certificates": [
         // Internal CA
         "-----BEGIN CERTIFICATE-----\n…\n-----END CERTIFICATE-----"        
       ]
     }
   }

4. Wait for gitserver to clone all the repositories.

Expected behavior:

1. repo-updater discovers all the repositories in github.com/sourcegraph and github.internal/sourcegraph
2. gitserver clones all the repositories in github.com/sourcegraph and github.internal/sourcegraph

Actual behavior:

1. repo-updater discovers all the repositories in github.com/sourcegraph and github.internal/sourcegraph
2. gitserver only clones all the repositories in github.internal/sourcegraph
3. gitserver fails to clone any repository in github.com/sourcegraph with the following warning:

   t=2022-07-01T20:29:33+0000
   lvl=warn msg="error cloning repo"
   repo=github.com/sourcegraph/sourcegraph
   err="error cloning repo: repo github.com/sourcegraph/sourcegraph not cloneable: exit status 128 (output follows)
   
   fatal: unable to access 'https://github.com/sourcegraph/sourcegraph/': SSL certificate problem: unable to get local issuer certificate"
   

Analysis

This happens because GitHub.com uses a TLS certificate whose root is DigiCert Global Root CA, which is a system certificate that is not mentioned in experimentalFeatures.tls.enabled.certificates.

This bug was initially mentioned in #71, but never got fixed because we had a workaround. I’m re-reporting it because I needed to update the workaround again.

@keegancsmith added a debug log in #22285, in case SystemCertPool fails to load, but I found no evidence of this error in our logs. I’d also like to point out that repo-updater was totally fine using system certificates, so my hypothesis is that gitserver isn’t going down this codepath.

Reading the error message, it really looks like it is coming from the actual git binary, which makes me suspect the GIT_SSL_CAINFO environment variable, which is set by #8092:
https://github.com/sourcegraph/sourcegraph/blob/3518a54ce82699d0e1fe3b19b21dd6eb2412ce5e/cmd/gitserver/server/serverutil.go#L115-L129

Note that this only writes the contents of the configuration, but doesn’t prepend /etc/ssl/certs/ca-certificates.crt, which exists in sourcegraph/gitserver@3.40.0. If this were prepended, all the system certificates would be included and I bet this would fix the bug.

Workaround

Add the DigiCert Global Root CA certificate alongside your internal CA certificate:

"experimentalFeatures": {
  "tls.external": {
    "certificates": [
      // DigiCert Global Root CA
      "-----BEGIN CERTIFICATE-----\nMIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\nQTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\nMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\nb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\nCSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\nnh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\nT19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\ngdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\nBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\nTLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\nDQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\nhMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\nPnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\nYSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\nCAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n-----END CERTIFICATE-----",
      // Internal CA
      "-----BEGIN CERTIFICATE-----\n…\n-----END CERTIFICATE-----"        
    ]
  }
}

[sourcegraph-bot-2]

Heads up @jplahn - the "team/repo-management" label was applied to this issue.

[keegancsmith]

@sfllaw thank you for the world class bug report!

It looks like we have a quick win here, we just need to include the system certificates when creating the custom certificate file. https://sourcegraph.com/github.com/sourcegraph/sourcegraph@4f5968f00d1ee686e32b74a15dd1aaf69cdce348/-/blob/cmd/gitserver/server/serverutil.go?L115-129

[keegancsmith]

So this isn't a quick win. Go's system certificate pool code does not expose the actual certificates. This is because depending on the platform go has to use different mechanisms to get hold of the certificates (some of which are costly so are done lazily).

I see three options forward:

• Copy-paste go's linux code for system certificate discovery. In Linux's case this is straight-forward and will work for our docker images.
• Document that users should include system certificates in the configuration.
• More research.

Documenting is easy so will atleast send a PR now for that. Copy-paste of stdlib code doesn't feel that great to be honest, and it isn't full proof in general (eg on my linux distribution (nix) the go runtime is patched to use different code for cert discovery). I've done a fair amount of research, but maybe git has some option to use both system certs and custom ones?

[sfllaw]

@keegancsmith This is still an experimental feature. Perhaps we could move the certificates so they are set on a repo, which would match Git's model?

By that, I mean that you can set http config options by URL:

$ git -c 'http.https://github.internal/.sslCAInfo=/tmp/gitserver123.crt' clone ...

This might break command-line length limits, so maybe keeping a config file around might be better?

[keegancsmith]

I like that suggestion to be honest. Also TIL that you can specify certs per domain. I'm sure we can workaround cli limits via adjusting repo config files. We use this setting also for go communication, so will just need to see if we can do something similar (I am sure we can).

Indeed the feature is still experimental, but fairly certain it is now in use by lots of people :) I'm sure we can do this in a non-breaking way as well.

[keegancsmith]

Suggestion to use url matching which is supported by git http.<url>.*. So investigating if we could reasonably do this for Go:

• tls.Config.GetConfigForClient isn't on the URL unfortunetly and will only have a ServerName if the server is using SNI.
• http.Transport.DialTLSContext isn't on the URL, but does get the address and allows us to establish the TLS connection (ie use a custom TLS config per domain).

I think using DialTLSContext would allow us to implement this. It won't be the same as git (URL based), but rather just work on the address (domain:port).

My only concern is potential downstream users of http.Transport assuming too much and doing things with the TLSClientConfig/etc and then that is ignored by our DialTLSContext. For example passing in our transport to the AWS client. I think there may even be examples in our own codebase where we manipulate TLSClientConfig.

It might make more sense to bake in TLS config into the external service configs instead of a global one. Then these concerns disappear (but requires much more code changes).

Either way this still isn't a quick win, so I'm not sure how we will prioritize this work given there is a workaround.

[sfllaw]

@keegancsmith I agree that configuring custom Certificate Authorities probably belongs in the code host’s settings, which can then be associated with its URL when calling out to Git.

On the Go side, you could do something fancy like you proposed above. Or you could just add all the certs to the x509.SystemCertPool when setting up your TLSClientConfig. I’d probably just keep a global CACertPool around that all the clients should use. This will be a little looser than the actually configuration specifies, but does that really matter? Is there really a world where you trust the CA for one code host but not another?