Details
I have set up a fresh Phabricator install on Apache server.
I have successfully configured the virtual server to use SSL with self-signed certificate on address some.host, on port 4433.
I have imported the certificate to the browser. Icon goes green.
So far, so good.
Now, locally, on a linux box (up-to-date Arch linux as virtual machine), I have installed arcanist.
I created an .arcconfig file with "phabricator.uri": "https://some.host:4433" entry.
arc diff yielded:
Usage Exception: YOU NEED TO AUTHENTICATE TO CONTINUE
You are trying to connect to a server (some.host) that you do not have any credentials stored for.
To retrieve and store credentials for this server, run this command:
$ arc install-certificate
Ok.
arc install-certificate
Trying to connect to server...
Usage Exception: Failed to connect to server (https://some.host:4433/api/): [cURL/60] (https://some.host:4433/api/conduit.ping) <CURLE_SSL_CACERT> There was an error verifying the SSL Certificate Authority while negotiating the SSL connection. This usually indicates that you are using a self-signed certificate but have not added your CA to the CA bundle. See instructions in "libphutil/resources/ssl/README".
Ok. Some hours later, after reading quite a lot about SSL certs, I managed to import the certificate to OS with sudo update-ca-trust extract (as in here).
I verified it in two ways:
- $ curl -vvI https://some.host:4433, among other things it yielded SSL certificate verify ok.
- $ openssl s_client -showcerts -connect some.host:4433, it returned Verify return code: 0 (ok).
So I re-run arc install-certificate, and found that it's behaviour remained unchanged (There was an error verifying the SSL Certificate Authority while negotiating the SSL connection error).
I also tried modifying php.ini by setting curl.cainfo, but to no avail.
In the end, I used "https.blindly-trust-domains": [ "some.host" ], and it works, but anyway - what makes arc not recognize the certs like other tools? Or, what am I doing wrong?
Thanks in advance.