diff --git a/CLAUDE.md b/CLAUDE.md index 685787d..8023fc2 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -24,4 +24,76 @@ Nomad MCP is a service that enables management of HashiCorp Nomad jobs via REST - `/static`: Frontend assets - `/tests`: Test files -Always maintain backward compatibility with existing API endpoints. Follow REST principles. \ No newline at end of file +Always maintain backward compatibility with existing API endpoints. Follow REST principles. + +## SSL Certificate Management for Internal Services + +When working with internal/corporate services that use custom Certificate Authorities (CAs): + +### Problem +- Internal services use SSL certificates signed by custom/corporate CAs +- System trust stores don't recognize these CAs +- Results in `SSL: CERTIFICATE_VERIFY_FAILED` errors + +### Solution: Extract and Configure CA Bundle + +1. **Extract CA Certificate Chain**: + ```bash + # Find the CA issuer from certificate details + openssl s_client -connect your-service.internal:443 -showcerts + + # Download CA certificate (adjust URL for your PKI) + curl -k "https://vault.internal:8200/v1/pki/ca" -o certs/ca_bundle.pem + ``` + +2. **Test CA Bundle**: + ```bash + # Test with curl + curl --cacert certs/ca_bundle.pem https://your-service.internal + + # Test with Python + python -c "import requests; print(requests.get('https://your-service.internal', verify='certs/ca_bundle.pem').status_code)" + ``` + +3. **Create Environment Configuration**: + ```bash + # .env.ssl + export SSL_CERT_FILE="$(pwd)/certs/ca_bundle.pem" + export REQUESTS_CA_BUNDLE="$(pwd)/certs/ca_bundle.pem" + export CURL_CA_BUNDLE="$(pwd)/certs/ca_bundle.pem" + export GIT_SSL_CAINFO="$(pwd)/certs/ca_bundle.pem" + ``` + +4. **Usage**: + ```bash + # Load SSL configuration + source .env.ssl + + # Now all tools use the CA bundle automatically + curl https://your-service.internal + git clone https://git.internal/repo.git + pip install -i https://pypi.internal/simple/ package + ``` + +### For Different Tools + +- **Curl**: `curl --cacert path/to/ca_bundle.pem` +- **Python requests**: `requests.get(url, verify='path/to/ca_bundle.pem')` +- **Git**: `git config http.sslCAInfo path/to/ca_bundle.pem` +- **Node.js**: `NODE_EXTRA_CA_CERTS=path/to/ca_bundle.pem` +- **Docker**: Mount certs and set `SSL_CERT_FILE` environment variable + +### Environment Variables Priority +1. `SSL_CERT_FILE` - Used by most SSL libraries +2. `REQUESTS_CA_BUNDLE` - Python requests library +3. `CURL_CA_BUNDLE` - curl command +4. Tool-specific variables (e.g., `GIT_SSL_CAINFO`) + +### Best Practices +- **Keep CA bundle in version control** (it's public key material) +- **Test SSL connections** with a script to verify setup +- **Document certificate renewal process** in project README +- **Use environment variables** for consistent configuration across tools +- **Never disable SSL verification** in production code + +This approach provides proper SSL security while working with internal services. \ No newline at end of file