feat(certificates): add self-signed certs on Ubuntu #234
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces support for adding self-signed certificates on Ubuntu by implementing Linux-specific functions for certificate management while preserving the macOS implementation. Key changes include defining a constant for the CA PEM filename, adding Linux-specific implementations for checking, adding, and removing the CA certificate, and updating Firefox profile directory detection based on the operating system.
Comments suppressed due to low confidence (2)
local-server/src/certificates/mod.rs:205
- The Linux implementation of ca_exists_in_keychain uses expect which may panic if the 'find' command fails; consider handling the error gracefully to prevent a potential crash in production.
.status().expect("Failed to find linkup CA").success()
local-server/src/certificates/mod.rs:317
- The function firefox_profiles_cert_storages currently selects only the first existing profile directory, which might omit additional valid Firefox profiles; consider iterating over all directories and merging the results.
.iter().map(|dir| PathBuf::from(home.clone()).join(dir))
There was a problem hiding this comment.
Pull Request Overview
This PR introduces support for self‐signed certificates on Ubuntu by updating the certificate installation and removal process for Linux while preserving macOS functionality.
- Introduces a new constant for the certificate PEM name and updates certificate path references
- Implements Linux-specific functions to check, add, and remove the CA from the system trust store
- Adjusts Firefox profile certificate storage discovery for both macOS and Linux
Comments suppressed due to low confidence (3)
local-server/src/certificates/mod.rs:197
- [nitpick] The Linux implementation of ca_exists_in_keychain uses the 'find' command with a basic error message. Consider adding more context to the error message (e.g., noting potential issues like command availability or permission errors) to ease future debugging.
fn ca_exists_in_keychain() -> bool {
local-server/src/certificates/mod.rs:287
- [nitpick] Consider including the file path or additional context in the error message when the removal of the CA certificate fails. This would help in diagnosing issues related to file permissions or incorrect paths.
return Err(UninstallError::DeleteCaCertificate("rm command returned unsuccessful exit status".to_string()));
local-server/src/certificates/mod.rs:337
- [nitpick] The error handling in the Firefox profiles discovery simply prints to stderr, which might not be visible or tracked in production logs. Consider using a more robust logging mechanism or propagating the error to improve visibility.
Err(error) => { if !matches!(error.kind(), std::io::ErrorKind::NotFound) { eprintln!("Failed to load Firefox profiles: {}", error); } }
e162add to
b593161
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for managing self-signed certificates on Ubuntu by introducing Linux-specific implementations for certificate installation and removal, while also cleaning up macOS‑only conditionals across various modules.
- Updated certificate module with a new constant and Linux implementations for keychain operations.
- Removed unnecessary macOS‑specific conditionals from services, commands, and configuration modules.
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| local-server/src/certificates/mod.rs | Added constant for cert naming and Linux-specific keychain functions. |
| linkup-cli/src/services/mod.rs | Removed macOS‑specific cfg from module imports. |
| linkup-cli/src/main.rs | Removed redundant macOS‑specific conditionals. |
| linkup-cli/src/local_config.rs | Removed macOS‑specific configuration functions. |
| linkup-cli/src/commands/*.rs | Removed macOS‑specific blocks to support Ubuntu usage. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
7797e78 to
2f59f5e
Compare
linkup-cli/src/commands/uninstall.rs
Outdated
| use crate::commands::local_dns; | ||
| use crate::local_config::LocalState; | ||
| use crate::{ | ||
| commands, linkup_dir_path, linkup_exe_path, local_config, prompt, InstallationMethod, Result, | ||
| }; |
There was a problem hiding this comment.
nit/suggestion:
Maybe we can merge these three use since they are all for crate::. Wdyt?
This release gets the Linux version closer to the macOS. We are testing it with Ubuntu. Main changes: - Ensure that Linkup can bind to 80/443 on Linux - #232 (fixes: 34f5282, 7e8cef5, b6fac77) - Manage self-signed certificates on Linux - #234 - Fix `health` command output on Linux - #236 Other changes: - Fix install script link on docs (8e6009d) - Use Ruff formatting on install script (e39de86) - Don't propagate `baggage` header (#237 ) --------- Co-authored-by: Roman Prudnikov <stillerr@yandex.ru> Co-authored-by: Oliver Stenbom <oliver@stenbom.eu>
There's no such cli tool like
securityon Ubuntu, so everything is mostly manual.Where do certs live in Linux
Certs live in
/etc/ssl/certs, but this directory is mostly a collection of symlinks that shouldn't be updated directly.Instead, we copy our cert to
/usr/local/share/ca-certificatesand then runupdate-ca-certificatesto update the symlinks.Where do Firefox certs live in Linux
Depends!
I found three places depending on how Firefox was installed and what your Linux is.
How to test
cd linkup-cli && cargo install --path .cd ..— get back to the root of the reposudo setcap cap_net_bind_service=+ep ~/.cargo/bin/linkupexport LINKUP_CONFIG=~/linkup/linkup-config.yamlexport PATH=$PATH:~/.cargo/bin/linkup >> ~/.bashrcsource ~/.bashrclinkup startlinkup local-dns installlinkup healthResourses: