Add improved handling for TLS certificates for static builds. (#17605)

* Add improved handling for TLS certificates for static builds. * Properly replace symlinks. * Fix shellcheck warning. * Fix option handling. - Persist certificate handling mode and check URL across reinstalls. - Properly consume the arguments for the certificate handling options. * Add five minute hard timeout on certificate check. * Differentiate specific error results from curl. * Persist cert handling options regardless of how they’re passed in. * Escape slashes in REINSTALL_OPTIONS. * Fix escaping of reinstall options.
author: Austin S. Hemmelgarn <austin@netdata.cloud> 2024-06-12 07:05:39 -0400
committer: GitHub <noreply@github.com> 2024-06-12 07:05:39 -0400
commit: 405a1635a57b4337d3006bf65708d9da1ea8cc8c (patch)
tree: 7dc38869e35a25f748c0f7a67546c34280558cb1 /packaging
parent: ce1cb43d30a73826a054b987dd1201bb13b1056e (diff)
2 files changed, 88 insertions, 12 deletions
diff --git a/packaging/installer/kickstart.sh b/packaging/installer/kickstart.sh
index 63402825d8..dde738c281 100755
--- a/packaging/installer/kickstart.sh
+++ b/packaging/installer/kickstart.sh
@@ -1816,9 +1816,15 @@ try_static_install() {
     opts="${opts} --accept"
   fi
 
+  env_cmd="env NETDATA_CERT_TEST_URL=${NETDATA_CLAIM_URL} NETDATA_CERT_MODE=check"
+
+  if [ -n "${NETDATA_OFFLINE_INSTALL_SOURCE}" ]; then
+    env_cmd="env NETDATA_CERT_TEST_URL=${NETDATA_CLAIM_URL} NETDATA_CERT_MODE=auto"
+  fi
+
   progress "Installing netdata"
   # shellcheck disable=SC2086
-  if ! run_as_root sh "${tmpdir}/${netdata_agent}" ${opts} -- ${NETDATA_INSTALLER_OPTIONS}; then
+  if ! run_as_root ${env_cmd} /bin/sh "${tmpdir}/${netdata_agent}" ${opts} -- ${NETDATA_INSTALLER_OPTIONS}; then
     warning "Failed to install static build of Netdata on ${SYSARCH}."
     run rm -rf /opt/netdata
     return 2
diff --git a/packaging/makeself/install-or-update.sh b/packaging/makeself/install-or-update.sh
index e5397c9e8c..67be9d69c5 100755
--- a/packaging/makeself/install-or-update.sh
+++ b/packaging/makeself/install-or-update.sh
@@ -27,6 +27,8 @@ fi
 
 STARTIT=1
 REINSTALL_OPTIONS=""
+NETDATA_CERT_MODE="${NETDATA_CERT_MODE:-auto}"
+NETDATA_CERT_TEST_URL="${NETDATA_CERT_TEST_URL:-https://app.netdata.cloud}"
 RELEASE_CHANNEL="nightly"
 
 while [ "${1}" ]; do
@@ -48,6 +50,19 @@ while [ "${1}" ]; do
       NETDATA_DISABLE_TELEMETRY=1
       REINSTALL_OPTIONS="${REINSTALL_OPTIONS} ${1}"
       ;;
+    "--certificates")
+      case "${2}" in
+        auto|system) NETDATA_CERT_MODE="auto" ;;
+        check) NETDATA_CERT_MODE="check" ;;
+        bundled) NETDATA_CERT_MODE="bundled" ;;
+        *) run_failed "Unknown certificate handling mode '${2}'. Supported modes are auto, check, system, and bundled."; exit 1 ;;
+      esac
+      shift 1
+      ;;
+    "--certificate-test-url")
+      NETDATA_CERT_TEST_URL="${2}"
+      shift 1
+      ;;
 
     *) echo >&2 "Unknown option '${1}'. Ignoring it." ;;
   esac
@@ -62,6 +77,14 @@ if [ ! "${DISABLE_TELEMETRY:-0}" -eq 0 ] ||
   REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --disable-telemetry"
 fi
 
+if [ -n "${NETDATA_CERT_MODE}" ]; then
+  REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificates ${NETDATA_CERT_MODE}"
+fi
+
+if [ -n "${NETDATA_CERT_TEST_URL}" ]; then
+  REINSTALL_OPTIONS="${REINSTALL_OPTIONS} --certificate-test-url ${NETDATA_CERT_TEST_URL}"
+fi
+
 # -----------------------------------------------------------------------------
 progress "Attempt to create user/group netdata/netadata"
 
@@ -208,26 +231,73 @@ done
 
 # -----------------------------------------------------------------------------
 
-echo "Configure TLS certificate paths"
-if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then
-  echo "Preserving existing user configuration for TLS"
-else
+replace_symlink() {
+    target="${1}"
+    name="${2}"
+    rm -f "${name}"
+    ln -s "${target}" "${name}"
+}
+
+select_system_certs() {
   if [ -d /etc/pki/tls ] ; then
-    echo "Using /etc/pki/tls for TLS configuration and certificates"
-    ln -sf /etc/pki/tls /opt/netdata/etc/ssl
+    echo "${1} /etc/pki/tls for TLS configuration and certificates"
+    replace_symlink /etc/pki/tls /opt/netdata/etc/ssl
   elif [ -d /etc/ssl ] ; then
-    echo "Using /etc/ssl for TLS configuration and certificates"
-    ln -sf /etc/ssl /opt/netdata/etc/ssl
-  else
-    echo "Using bundled TLS configuration and certificates"
-    ln -sf /opt/netdata/share/ssl /opt/netdata/etc/ssl
+    echo "${1} /etc/ssl for TLS configuration and certificates"
+    replace_symlink /etc/ssl /opt/netdata/etc/ssl
   fi
+}
+
+select_internal_certs() {
+  echo "Using bundled TLS configuration and certificates"
+  replace_symlink /opt/netdata/share/ssl /opt/netdata/etc/ssl
+}
+
+certs_selected() {
+  [ -L /opt/netdata/etc/ssl ] || return 1
+}
+
+test_certs() {
+  /opt/netdata/bin/curl --fail --max-time 300 --silent --output /dev/null "${NETDATA_CERT_TEST_URL}"
+
+  case "$?" in
+    35|77) echo "Failed to load certificate files for test." ; return 1 ;;
+    60|82|83) echo "Certificates cannot be used to connect to ${NETDATA_CERT_TEST_URL}" ; return 1 ;;
+    53|54|66) echo "Unable to use OpenSSL configuration associated with certificates" ; return 1 ;;
+    0) echo "Successfully connected to ${NETDATA_CERT_TEST_URL} using certificates" ;;
+    *) echo "Unable to test certificates due to networking problems, blindly assuming they work" ;;
+  esac
+}
+
+# If the user has manually set up certificates, don’t mess with it.
+if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then
+  echo "Preserving existing user configuration for TLS"
+else
+  echo "Configure TLS certificate paths (mode: ${NETDATA_CERT_MODE})"
+  case "${NETDATA_CERT_MODE}" in
+    check)
+      select_system_certs "Testing"
+      if certs_selected && test_certs; then
+        select_system_certs "Using"
+      else
+        select_internal_certs
+      fi
+      ;;
+    bundled) select_internal_certs ;;
+    *)
+      select_system_certs "Using"
+      if ! certs_selected; then
+        select_internal_certs
+      fi
+      ;;
+  esac
 fi
 
 # -----------------------------------------------------------------------------
 
 echo "Save install options"
 grep -qv 'IS_NETDATA_STATIC_BINARY="yes"' "${NETDATA_PREFIX}/etc/netdata/.environment" || echo IS_NETDATA_STATIC_BINARY=\"yes\" >> "${NETDATA_PREFIX}/etc/netdata/.environment"
+REINSTALL_OPTIONS="$(echo "${REINSTALL_OPTIONS}" | awk '{gsub("/", "\\/"); print}')"
 sed -i "s/REINSTALL_OPTIONS=\".*\"/REINSTALL_OPTIONS=\"${REINSTALL_OPTIONS}\"/" "${NETDATA_PREFIX}/etc/netdata/.environment"
 
 # -----------------------------------------------------------------------------
author	Austin S. Hemmelgarn <austin@netdata.cloud>	2024-06-12 07:05:39 -0400
committer	GitHub <noreply@github.com>	2024-06-12 07:05:39 -0400
commit	405a1635a57b4337d3006bf65708d9da1ea8cc8c (patch)
tree	7dc38869e35a25f748c0f7a67546c34280558cb1 /packaging
parent	ce1cb43d30a73826a054b987dd1201bb13b1056e (diff)