Fix Connectivity to Azure MariaDB over TLS with New Combined CA

Azure is rotating CA certificates and now requires server operators to use a "combined" CA file that has the root certificates for both the BaltimoreCyberTrustRoot and DigiCertGlobalRootG2 CAs. It appears that Azure is migrating from BaltimoreCyberTrustRoot to DigiCertGlobalRootG2. More information is here: https://learn.microsoft.com/en-us/azure/mariadb/concepts-certificate-rotation
Inveniem · Apr 27, 2023 · 8662be5 · 8662be5
1 parent 9f90487
commit 8662be5
Show file tree

Hide file tree

Showing 7 changed files with 75 additions and 21 deletions.
diff --git a/docker/backend-nextcloud-apache/Dockerfile b/docker/backend-nextcloud-apache/Dockerfile
@@ -53,6 +53,11 @@ RUN /setup_newrelic.sh && rm /setup_newrelic.sh
 COPY nextcloud-common/entrypoint.sh /
 COPY nextcloud-common/config/* /usr/src/nextcloud/config/
 
+# Create combined CA file, per:
+# https://learn.microsoft.com/en-us/azure/mariadb/concepts-certificate-rotation
+COPY nextcloud-common/ssl/azure_ca/ /tmp/azure_ca
+RUN cat /tmp/azure_ca/*.pem >/usr/src/nextcloud/config/azure_ca.pem
+
 # We supply all custom apps via Docker image; app store is disabled
 COPY nextcloud-common/custom_apps/. /usr/src/nextcloud/custom_apps/
 

diff --git a/docker/backend-nextcloud-fpm/Dockerfile b/docker/backend-nextcloud-fpm/Dockerfile
@@ -100,6 +100,11 @@ RUN /setup_newrelic.sh && rm /setup_newrelic.sh
 COPY nextcloud-common/entrypoint.sh /
 COPY nextcloud-common/config/* /usr/src/nextcloud/config/
 
+# Create combined CA file, per:
+# https://learn.microsoft.com/en-us/azure/mariadb/concepts-certificate-rotation
+COPY nextcloud-common/ssl/azure_ca/ /tmp/azure_ca
+RUN cat /tmp/azure_ca/*.pem >/usr/src/nextcloud/config/azure_ca.pem
+
 # We supply all custom apps via Docker image; app store is disabled
 COPY nextcloud-common/custom_apps/. /usr/src/nextcloud/custom_apps/
 

diff --git a/docker/nextcloud-common/config/mysql-ssl.config.php b/docker/nextcloud-common/config/mysql-ssl.config.php
@@ -1,24 +1,18 @@
 <?php
-	$all_ssl_ca_locations = [
-		# Location of Azure Trusted CA on Alpine Linux
-		'/etc/ssl/certs/ca-cert-Baltimore_CyberTrust_Root.pem',
+/**
+ * The name of the combined CA file that gets created during the Docker build.
+ *
+ * The CA file contains certificates for both BaltimoreCyberTrustRoot and
+ * DigiCertGlobalRootG2, per the instructions from this article:
+ * https://learn.microsoft.com/en-us/azure/mariadb/concepts-certificate-rotation
+ */
+const AZURE_CA_PEM_FILE = 'azure_ca.pem';
 
-		# Location of Azure Trusted CA on Ubuntu Linux
-		'/etc/ssl/certs/Baltimore_CyberTrust_Root.pem',
-	];
+$config_folder = dirname(__FILE__);
 
-	foreach ($all_ssl_ca_locations as $location) {
-		if (is_file($location)) {
-			$ssl_ca_location = $location;
-			break;
-		}
-	}
-
-	if (!empty($ssl_ca_location)) {
-		# Support connecting to Azure MySQL over SSL
-		$CONFIG = array(
-			'dbdriveroptions' => array(
-				PDO::MYSQL_ATTR_SSL_CA => $ssl_ca_location,
-			),
-		);
-	}
+# Support connecting to Azure MySQL over SSL
+$CONFIG = array(
+	'dbdriveroptions' => array(
+		PDO::MYSQL_ATTR_SSL_CA => sprintf('%s/%s', $config_folder, AZURE_CA_PEM_FILE),
+	),
+);
diff --git a/docker/nextcloud-common/entrypoint.sh b/docker/nextcloud-common/entrypoint.sh
@@ -192,6 +192,7 @@ deploy_nextcloud_release() {
         echo "'config' directory is writable."
         echo "Sync-ing configuration snippets:"
         cp -v /usr/src/nextcloud/config/*.config.php /var/www/html/config/
+        cp -v /usr/src/nextcloud/config/*.pem /var/www/html/config/
         echo ""
     else
         echo "'config' directory is not writable."

diff --git a/docker/nextcloud-common/ssl/azure_ca/BaltimoreCyberTrustRoot.crt.pem b/docker/nextcloud-common/ssl/azure_ca/BaltimoreCyberTrustRoot.crt.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+-----END CERTIFICATE-----
+
diff --git a/docker/nextcloud-common/ssl/azure_ca/DigiCertGlobalRootG2.crt.pem b/docker/nextcloud-common/ssl/azure_ca/DigiCertGlobalRootG2.crt.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
+MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
+2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
+1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
+q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
+tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
+vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
+BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
+5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
+1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
+NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
+Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
+8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
+pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
+MrY=
+-----END CERTIFICATE-----
diff --git a/docker/nextcloud-cron/Dockerfile b/docker/nextcloud-cron/Dockerfile
@@ -19,6 +19,11 @@ RUN rm -f /usr/src/nextcloud/config/redis.config.php
 COPY nextcloud-cron/entrypoint.sh /
 COPY nextcloud-common/config/* /usr/src/nextcloud/config/
 
+# Create combined CA file, per:
+# https://learn.microsoft.com/en-us/azure/mariadb/concepts-certificate-rotation
+COPY nextcloud-common/ssl/azure_ca/ /tmp/azure_ca
+RUN cat /tmp/azure_ca/*.pem >/usr/src/nextcloud/config/azure_ca.pem
+
 COPY nextcloud-cron/cleanup_uploads.sh /
 
 # Ensure custom apps are available during cron runs.