phorge-arcanist/resources/ssl/README

This document describes how to set Certificate Authority information.
Usually, you need to do this only if you're using a self-signed certificate.


OSX after Yosemite
==================

If you're using a version of Mac OSX after Yosemite, you can not configure
certificates from the command line. All libphutil and arcanist options
related to CA configuration are ignored.

Instead, you need to add them to the system keychain. The easiest way to do this
is to visit the site in Safari and choose to permanently accept the certificate.

You can also use `security add-trusted-cert` from the command line.


All Other Systems
=================

If "curl.cainfo" is not set (or you are using PHP older than 5.3.7, where the
option was introduced), libphutil uses the "default.pem" certificate authority
bundle when making HTTPS requests with cURL. This bundle is extracted from
Mozilla's certificates by cURL:

  http://curl.haxx.se/docs/caextract.html

If you want to use a different CA bundle (for example, because you use
self-signed certificates), set "curl.cainfo" if you're using PHP 5.3.7 or newer,
or create a file (or symlink) in this directory named "custom.pem".

If "custom.pem" is present, that file will be used instead of "default.pem".

If you receive errors using your "custom.pem" file, you can test it directly
with `curl` by running a command like this:

  curl -v --cacert arcanist/resources/ssl/custom.pem https://phorge.example.com/

Replace "arcanist/resources/ssl/custom.pem" with the path to your "custom.pem"
file, and replace "https://phorge.example.com" with the real URL of your Phorge
install.

The initial lines of output from `curl` should give you information about the
SSL handshake and certificate verification, which may be helpful in resolving
the issue.
Fully merge "libphutil/" into "arcanist/" Summary: Ref T13395. Moves all remaining code in "libphutil/" into "arcanist/". Test Plan: Ran various arc workflows, although this probably has some remaining rough edges. Maniphest Tasks: T13395 Differential Revision: https://secure.phabricator.com/D20980 2020-02-12 23:24:11 +01:00			`This document describes how to set Certificate Authority information.`
			`Usually, you need to do this only if you're using a self-signed certificate.`


			`OSX after Yosemite`
			`==================`

			`If you're using a version of Mac OSX after Yosemite, you can not configure`
			`certificates from the command line. All libphutil and arcanist options`
			`related to CA configuration are ignored.`

			`Instead, you need to add them to the system keychain. The easiest way to do this`
			`is to visit the site in Safari and choose to permanently accept the certificate.`

			You can also use `security add-trusted-cert` from the command line.


			`All Other Systems`
			`=================`

			`If "curl.cainfo" is not set (or you are using PHP older than 5.3.7, where the`
			`option was introduced), libphutil uses the "default.pem" certificate authority`
			`bundle when making HTTPS requests with cURL. This bundle is extracted from`
			`Mozilla's certificates by cURL:`

			`http://curl.haxx.se/docs/caextract.html`

			`If you want to use a different CA bundle (for example, because you use`
			`self-signed certificates), set "curl.cainfo" if you're using PHP 5.3.7 or newer,`
			`or create a file (or symlink) in this directory named "custom.pem".`

			`If "custom.pem" is present, that file will be used instead of "default.pem".`

			`If you receive errors using your "custom.pem" file, you can test it directly`
			with `curl` by running a command like this:

Add resources/ssl/custom.pem to .gitignore Summary: When arcanist connects to a phorge site which uses an SSL certificate signed by a local CA, then the client needs to have a resources/ssl/custom.pem file as per resources/ssl/README As this is client specific it should be in the .gitignore file. Also update resources/ssl/README to replace [Pp]habricator with [Pp]horge. Test Plan: ``` touch resources/ssl/custom.pem git status ``` The 'git status' should show no changes. Reviewers: O1 Blessed Committers, valerio.bozzolan Reviewed By: O1 Blessed Committers, valerio.bozzolan Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno Differential Revision: https://we.phorge.it/D25304 2023-06-21 20:56:41 +02:00			`curl -v --cacert arcanist/resources/ssl/custom.pem https://phorge.example.com/`
Fully merge "libphutil/" into "arcanist/" Summary: Ref T13395. Moves all remaining code in "libphutil/" into "arcanist/". Test Plan: Ran various arc workflows, although this probably has some remaining rough edges. Maniphest Tasks: T13395 Differential Revision: https://secure.phabricator.com/D20980 2020-02-12 23:24:11 +01:00
Add resources/ssl/custom.pem to .gitignore Summary: When arcanist connects to a phorge site which uses an SSL certificate signed by a local CA, then the client needs to have a resources/ssl/custom.pem file as per resources/ssl/README As this is client specific it should be in the .gitignore file. Also update resources/ssl/README to replace [Pp]habricator with [Pp]horge. Test Plan: ``` touch resources/ssl/custom.pem git status ``` The 'git status' should show no changes. Reviewers: O1 Blessed Committers, valerio.bozzolan Reviewed By: O1 Blessed Committers, valerio.bozzolan Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno Differential Revision: https://we.phorge.it/D25304 2023-06-21 20:56:41 +02:00			`Replace "arcanist/resources/ssl/custom.pem" with the path to your "custom.pem"`
			`file, and replace "https://phorge.example.com" with the real URL of your Phorge`
			`install.`
Fully merge "libphutil/" into "arcanist/" Summary: Ref T13395. Moves all remaining code in "libphutil/" into "arcanist/". Test Plan: Ran various arc workflows, although this probably has some remaining rough edges. Maniphest Tasks: T13395 Differential Revision: https://secure.phabricator.com/D20980 2020-02-12 23:24:11 +01:00
			The initial lines of output from `curl` should give you information about the
			`SSL handshake and certificate verification, which may be helpful in resolving`
			`the issue.`