Merge pull request #46 from hic-infra/ca-improvements

Install CA certificate on Firefox (Windows)
hic-infra · Nov 13, 2024 · a58b084 · a58b084
2 parents 0c44934 + 217f84d
commit a58b084
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/modules/hic-tre-cert.ps1 b/modules/hic-tre-cert.ps1
@@ -39,7 +39,38 @@ zvyXRCnDutC2I48pjubDIKtp2crIOMdsmtBVCQq6gX1Sl/4z4E6BXEWkfVcSBk+O
 05i6skiAX2QQcqX+EC/9HQ8UEjKIGeXyR2SxAiACx+1ckj9MHG8nytRAJQ2glmLs
 ws7bgq7KAqJqvvPyVIeOW0hx4AX+5Q==
 -----END CERTIFICATE-----
-"@ | Out-File -FilePath C:\Tools\hic-tre.dundee.ac.uk.crt
+"@ | Out-File -Encoding ASCII -FilePath C:\Tools\hic-tre.dundee.ac.uk.crt
 
 Get-Item C:\Tools\hic-tre.dundee.ac.uk.crt | `
   Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
+
+
+# Firefox doesn't use the system certificates by default, but a policy
+# can be used to force the installation of the certificate at the next
+# run.
+New-Item -Path "C:\Program Files\Mozilla Firefox\" -Name distribution -ItemType Directory -Force
+@"
+{
+  "policies": {
+    "Certificates": {
+      "Install": ["C:\\Tools\\hic-tre.dundee.ac.uk.crt"]
+    }
+  }
+}
+"@ | Out-File -Encoding ASCII -FilePath "C:\Program Files\Mozilla Firefox\distribution\policies.json"
+
+# This covers both conda and CRAN, but it also overrides their own
+# provided CA chain files. That's probably ok given we don't allow
+# access to the internet.
+[Environment]::SetEnvironmentVariable(
+    "SSL_CERT_FILE",
+    "C:\Tools\hic-tre.dundee.ac.uk.crt",
+    [System.EnvironmentVariableTarget]::User)
+[Environment]::SetEnvironmentVariable(
+    "REQUESTS_CA_BUNDLE",
+    "C:\Tools\hic-tre.dundee.ac.uk.crt",
+    [System.EnvironmentVariableTarget]::User)
+[Environment]::SetEnvironmentVariable(
+    "CURL_CA_BUNDLE",
+    "C:\Tools\hic-tre.dundee.ac.uk.crt",
+    [System.EnvironmentVariableTarget]::User)
diff --git a/modules/hic-tre-cert.sh b/modules/hic-tre-cert.sh
@@ -60,3 +60,15 @@ sudo tee /etc/firefox/policies/policies.json <<JSON
   }
 }
 JSON
+
+# /etc/profile.d/*.sh not called due to how we start VNC
+if ! grep -Fxq "# HIC TRE CA CERT" /etc/bash.bashrc ; then
+    sudo tee -a /etc/bash.bashrc <<EOF
+
+# HIC TRE CA CERT
+export SSL_CERT_FILE=/usr/local/share/ca-certificates/hic/hic-tre.crt
+export REQUESTS_CA_BUNDLE=\$SSL_CERT_FILE
+export CURL_CA_BUNDLE=\$SSL_CERT_FILE
+EOF
+fi
+