Override trusted certs for the conveyor command line

[eskatos]

Our staging environment to which we want to deploy a download site is using Let's Encrypt staging certificates.
Let's Encrypt's staging root CA certificate is obvisouly not present in the truststore shipped with conveyor.

The consequence is that when running make site with a site.base-url pointing at such an https server we get the following error when conveyor issue http requests to the site:

Error: I/O Error: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
 • Sun Cert Path Builder: unable to find valid certification path to requested target

I tried passing -Djavax.net.ssl.trustStore=path/to/a/truststore/with/letsencrypt/staging/certs/added but the conveyor command line says that this not a recognized command option.

Adding the certificates to the operating system is not an option given conveyor ships with its own truststore.

The only thing that worked was to overwrite the lib/runtime/lib/security/cacert file in the conveyor installation.

Did I miss an available way to provide trusted certificates to conveyor without tinkering with its installation?
If not, could it be considered as a feature request?

Note that there's a workaround so it's not an urgent thing for me.

[eskatos]

Once solved for building with the above workaround I stumbled upon the next step: the "installers" don't trust the staging update site.

I'm fine with requiring testers to install the staging CA certificates onto their systems upfront. I expect things to work for the debian repository, the Windows installers, and Sparkle on macOS. I still have to test all this and will report here how it goes.

I guess there's no point in adding support for adding trusted certs just to the conveyor command line. For a seamless experience it would have to be baked in all components and there would always be the blocker that one can't access the download site in the first place without installing the certificate locally 🍳 🐔 I think the feature request can be disregarded and I just have to find my way into this.

[mikehearn]

Using non-standard roots is probably pretty common in an enterprise environment, and we support customizing the root store of bundled JVM apps at packaging time for that reason:

https://conveyor.hydraulic.dev/15.1/configs/jvm/#appjvmadditional-ca-certs

It's meant for internal servers that act as backends to the desktop app. The case where the update site itself uses custom roots is harder. We can (should!) make Conveyor use the system root store instead of its own, at least on Mac and Windows, but that won't help in the case where the users installing the packages don't know about the root either. Fixing that is hard. It'd require a UAC elevation on Windows at minimum, so for users who don't have admin access it's right out.

[eskatos]

I can confirm that on Linux, macOS and Windows, once the staging AC certificates installed system wide, everything works fine.