diff --git a/.env.ssl b/.env.ssl new file mode 100644 index 0000000..07df4d8 --- /dev/null +++ b/.env.ssl @@ -0,0 +1,16 @@ +# SSL Certificate Configuration for Mei Sheng Group Services +# Source this file to configure SSL verification for internal services + +# Certificate bundle path +export SSL_CERT_FILE="$(pwd)/certs/meisheng_ca_bundle.pem" +export REQUESTS_CA_BUNDLE="$(pwd)/certs/meisheng_ca_bundle.pem" +export CURL_CA_BUNDLE="$(pwd)/certs/meisheng_ca_bundle.pem" + +# Python SSL configuration +export PYTHONHTTPSVERIFY=1 + +# Git configuration +export GIT_SSL_CAINFO="$(pwd)/certs/meisheng_ca_bundle.pem" + +echo "āœ… SSL certificates configured for Mei Sheng Group services" +echo "šŸ“ CA Bundle: $SSL_CERT_FILE" \ No newline at end of file diff --git a/certs/README.md b/certs/README.md new file mode 100644 index 0000000..29cf808 --- /dev/null +++ b/certs/README.md @@ -0,0 +1,72 @@ +# Mei Sheng Group SSL Certificates + +This folder contains the SSL certificate chain for Mei Sheng Group internal services. + +## Certificate Chain + +1. **Intermediate CA**: `Mei_Sheng_Group_Intermediate_CA_02` + - File: `intermediate_ca.pem`, `meisheng_ca_bundle.pem` + - Valid: Sep 14, 2020 - Sep 13, 2025 + - Issuer: Mei_Sheng_Group_RootCA + +2. **Server Certificate**: `*.dev.meisheng.group` + - File: `server_cert.pem` + - Valid: May 30, 2025 - May 31, 2025 (expires soon!) + - Covers: gitea.dev.meisheng.group, nomad_mcp.dev.meisheng.group + +## Usage + +### For Python Applications + +Use the CA bundle to verify SSL connections: + +```python +import requests + +# Use the CA bundle for requests +response = requests.get( + 'https://gitea.dev.meisheng.group', + verify='/path/to/certs/meisheng_ca_bundle.pem' +) +``` + +### For curl + +```bash +curl --cacert certs/meisheng_ca_bundle.pem https://gitea.dev.meisheng.group +``` + +### For Git + +```bash +# Configure git to use the CA bundle +git config http.sslCAInfo /path/to/certs/meisheng_ca_bundle.pem +``` + +### For MCP/Claude Code + +Add to environment variables: + +```bash +export REQUESTS_CA_BUNDLE=/path/to/certs/meisheng_ca_bundle.pem +export SSL_CERT_FILE=/path/to/certs/meisheng_ca_bundle.pem +``` + +## Certificate Renewal + +āš ļø **Important**: The server certificate expires on May 31, 2025. It needs to be renewed soon. + +## System Trust Store (Optional) + +To install the CA in the system trust store: + +### macOS +```bash +sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certs/meisheng_ca_bundle.pem +``` + +### Linux +```bash +sudo cp certs/meisheng_ca_bundle.pem /usr/local/share/ca-certificates/meisheng-ca.crt +sudo update-ca-certificates +``` \ No newline at end of file diff --git a/certs/ca_chain.pem b/certs/ca_chain.pem new file mode 100644 index 0000000..03008a5 --- /dev/null +++ b/certs/ca_chain.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDXDCCAuKgAwIBAgIUHChdZkXlA0s5wEy9qjYCkrwc58UwCgYIKoZIzj0EAwMw +gYcxCzAJBgNVBAYTAlZOMQ4wDAYDVQQIEwVWTi00MzESMBAGA1UEBxMJTmdhaSBH +aWFvMRgwFgYDVQQKEw9NZWkgU2hlbmcgR3JvdXAxGTAXBgNVBAsTEFRlY2hub2xv +Z3kgR3JvdXAxHzAdBgNVBAMMFk1laV9TaGVuZ19Hcm91cF9Sb290Q0EwHhcNMjAw +OTE0MDQwNzAwWhcNMjUwOTEzMDQwNzAwWjAtMSswKQYDVQQDDCJNZWlfU2hlbmdf +R3JvdXBfSW50ZXJtZWRpYXRlX0NBXzAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAyEoQIfXC9wX9lqq9nGMpf437M70FUeTExY915wNsMhOXrJflT66p +f2A+uA3hq8wHGq+wOGFTEhteQhIDoRADLes5ywa5qXCQbi3HeB5WtbT3ayFfh2xY +MdGsJVg0aqjPPuF1UVnNFSTvsJm0unLgNNrw1lzwB3qvg28G/j3MDkRYhB+pNmOH +yHZQbDIJhZ+OCOxf78fdNfSVUJNmVZM2tVDbN/Dz2jiFIkEyX7FgRm26uTdmAMTG +m/RbSa4k7C+9/bZSm2k22R0weKodnCVMVJvqeh3VB40ETeebaIi3oBi4AzyN8d8q +yhqle+Bj78qtghaPHrRY4Hbt51wh8fjdjwIDAQABo4G5MIG2MA4GA1UdDwEB/wQE +AwIBpjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTLduok3uInrMWi6mZe +Lt9v6weoyTAfBgNVHSMEGDAWgBRFZFsAQFhk5efyrI3BepXfPi+DgjBQBgNVHR8E +STBHMEWgQ6BBhj9odHRwOi8vY3JsLmRzLm1laXNoZW5nLmdyb3VwL3BraS9NZWkt +U2hlbmctR3JvdXAtVmF1bHQtSU1DQS5jcmwwCgYIKoZIzj0EAwMDaAAwZQIwKWCU +8udFsZc1hH5IGMSo/PJjAs/q4PbsddwFp0s+P64PFxun+DTkFDmw4GYwUjv5AjEA +i+TpLy8j4LmvTq9tgJ/6UlFHAuHmnho8qoBURNrve7dJiRPYJfRYoqJ3IY3J7CdK +-----END CERTIFICATE----- \ No newline at end of file diff --git a/certs/full_chain_raw.pem b/certs/full_chain_raw.pem new file mode 100644 index 0000000..d39b694 --- /dev/null +++ b/certs/full_chain_raw.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFsjCCBJqgAwIBAgIUILZlhb2ckYpVea2ie8YePywKDNswDQYJKoZIhvcNAQEL +BQAwLTErMCkGA1UEAwwiTWVpX1NoZW5nX0dyb3VwX0ludGVybWVkaWF0ZV9DQV8w +MjAeFw0yNTA1MzAxNTIwNDJaFw0yNTA1MzExNTIxMDlaMIHSMQswCQYDVQQGEwJW +TjERMA8GA1UECBMIRG9uZyBOYWkxEzARBgNVBAcTCkxvbmcgVGhhbmgxLTArBgNV +BAkTJFN0cmVldCAxLCBMb25nIFRoYW5oIEluZHVzdHJpYWwgWm9uZTEPMA0GA1UE +ERMGNzYwMDAwMSEwHwYDVQQKExhNZWkgU2hlbmcgVGV4dGlsZXMgR3JvdXAxGTAX +BgNVBAsTEFRlY2hub2xvZ3kgR3JvdXAxHTAbBgNVBAMMFCouZGV2Lm1laXNoZW5n +Lmdyb3VwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArnfHjOSjdy8p +bkV0+Xq+9VCJHwNnaakOUJKSkW/Iw8/KbnNzT0Y9V3zFhKJMUaVsucTNneEbWOc3 +wdoe0C75PjYY9Bw3VSnyaXHF84QNy7LxM3E8X0R3rqETfJilzFA4nBtI5bx1WxNp +tSOOYSgcoD7W38mKPpNO3yKdEmrkl5YiunWQBChD+K7tlDewcHnWuJsBPHO+cRrz +rcfv6oozD2zlX5yBzF1lOVWV7TDnCjvyCYuUR9LvwswOkEi8gxnCZxlF9psHvb+a +5CoMleVct6Hgzo2lPe3t7f/eszdbkMIxN/CyIsqG+G5Ljr9M4dTTWhy6nnkF9MkA +i/wZGdKdmSIabXq2/nwlebSJA4sDUBzX+/8Wm2izHN9WqM0bmOdhrwF9uCfAI3d0 +iMeRzxGfJHVU6yml3PSyejc5SpHG4htnWbrZwJB0kxNCPVHYssajqyG41n9xS5dp +bdlP6nl0x1BLvESPKE0oksoDdEkZ1nudSW6uVnNA2idyAwplFD4H4Ww82zxdTwBY +i9nHtMAoizSyd1RxC6SRGaw5jgCaoBw95YbTftOQqH3meu3SWYGhFtpVMu2ZL4nz +7ZwAz/XMJXNdni/+O6hI9ajRSYkrYW5qU3sWXhpehHNGD+Z5MYse/Gl7qGB4P4G6 +3aWx0iFmlpi7EzNe7mG85+6oqsfXBYsCAwEAAaOCASIwggEeMA4GA1UdDwEB/wQE +AwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFOAu +oM+WwWMbylfcJQlkYkPMCi3dMB8GA1UdIwQYMBaAFMt26iTe4iesxaLqZl4u32/r +B6jJMEoGCCsGAQUFBwEBBD4wPDA6BggrBgEFBQcwAoYuaHR0cHM6Ly92YXVsdC5k +cy5tZWlzaGVuZy5ncm91cDo4MjAwL3YxL3BraS9jYTAfBgNVHREEGDAWghQqLmRl +di5tZWlzaGVuZy5ncm91cDBABgNVHR8EOTA3MDWgM6Axhi9odHRwczovL3ZhdWx0 +LmRzLm1laXNoZW5nLmdyb3VwOjgyMDAvdjEvcGtpL2NybDANBgkqhkiG9w0BAQsF +AAOCAQEAs0lsR2dVZNqe/4Rt4nB/YOz/GjnX2HU3EY9LNK0ItCpZNcoVGDiAPWn/ +tWzAVdSp9DfDl4SO26pKCTknGUUrBr08WtkR6CqUmZ7rf5cYl0gtG6LM3/Qn2wt6 +p14HYwJsgt3z3uJ8NGdp9SeamQuhMERz6uQ/t9ueeR806vJEZxJGb/bpHMYiEYyh +6FFwSnwSBLVUwR0aUqVCVg5yYnrjI/WVbLaXQLf1WBpbNl72sSBPnxxWzfb2ddvN +DkPD/w983xFNSys98E+N9XeSSOuzOocLvgqZkFlCU9J60sgS8Zyaxrt4H29WMvip +8nHYJG7vL61dt80BZioEuChMpRKKsw== +-----END CERTIFICATE----- diff --git a/certs/intermediate_ca.pem b/certs/intermediate_ca.pem new file mode 100644 index 0000000..de97553 Binary files /dev/null and b/certs/intermediate_ca.pem differ diff --git a/certs/meisheng_ca_bundle.pem b/certs/meisheng_ca_bundle.pem new file mode 100644 index 0000000..03008a5 --- /dev/null +++ b/certs/meisheng_ca_bundle.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDXDCCAuKgAwIBAgIUHChdZkXlA0s5wEy9qjYCkrwc58UwCgYIKoZIzj0EAwMw +gYcxCzAJBgNVBAYTAlZOMQ4wDAYDVQQIEwVWTi00MzESMBAGA1UEBxMJTmdhaSBH +aWFvMRgwFgYDVQQKEw9NZWkgU2hlbmcgR3JvdXAxGTAXBgNVBAsTEFRlY2hub2xv +Z3kgR3JvdXAxHzAdBgNVBAMMFk1laV9TaGVuZ19Hcm91cF9Sb290Q0EwHhcNMjAw +OTE0MDQwNzAwWhcNMjUwOTEzMDQwNzAwWjAtMSswKQYDVQQDDCJNZWlfU2hlbmdf +R3JvdXBfSW50ZXJtZWRpYXRlX0NBXzAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAyEoQIfXC9wX9lqq9nGMpf437M70FUeTExY915wNsMhOXrJflT66p +f2A+uA3hq8wHGq+wOGFTEhteQhIDoRADLes5ywa5qXCQbi3HeB5WtbT3ayFfh2xY +MdGsJVg0aqjPPuF1UVnNFSTvsJm0unLgNNrw1lzwB3qvg28G/j3MDkRYhB+pNmOH +yHZQbDIJhZ+OCOxf78fdNfSVUJNmVZM2tVDbN/Dz2jiFIkEyX7FgRm26uTdmAMTG +m/RbSa4k7C+9/bZSm2k22R0weKodnCVMVJvqeh3VB40ETeebaIi3oBi4AzyN8d8q +yhqle+Bj78qtghaPHrRY4Hbt51wh8fjdjwIDAQABo4G5MIG2MA4GA1UdDwEB/wQE +AwIBpjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTLduok3uInrMWi6mZe +Lt9v6weoyTAfBgNVHSMEGDAWgBRFZFsAQFhk5efyrI3BepXfPi+DgjBQBgNVHR8E +STBHMEWgQ6BBhj9odHRwOi8vY3JsLmRzLm1laXNoZW5nLmdyb3VwL3BraS9NZWkt +U2hlbmctR3JvdXAtVmF1bHQtSU1DQS5jcmwwCgYIKoZIzj0EAwMDaAAwZQIwKWCU +8udFsZc1hH5IGMSo/PJjAs/q4PbsddwFp0s+P64PFxun+DTkFDmw4GYwUjv5AjEA +i+TpLy8j4LmvTq9tgJ/6UlFHAuHmnho8qoBURNrve7dJiRPYJfRYoqJ3IY3J7CdK +-----END CERTIFICATE----- \ No newline at end of file diff --git a/certs/root_ca.pem b/certs/root_ca.pem new file mode 100644 index 0000000..eb15fe1 --- /dev/null +++ b/certs/root_ca.pem @@ -0,0 +1 @@ +{"errors":["missing client token"]} diff --git a/certs/server_cert.pem b/certs/server_cert.pem new file mode 100644 index 0000000..d39b694 --- /dev/null +++ b/certs/server_cert.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFsjCCBJqgAwIBAgIUILZlhb2ckYpVea2ie8YePywKDNswDQYJKoZIhvcNAQEL +BQAwLTErMCkGA1UEAwwiTWVpX1NoZW5nX0dyb3VwX0ludGVybWVkaWF0ZV9DQV8w +MjAeFw0yNTA1MzAxNTIwNDJaFw0yNTA1MzExNTIxMDlaMIHSMQswCQYDVQQGEwJW +TjERMA8GA1UECBMIRG9uZyBOYWkxEzARBgNVBAcTCkxvbmcgVGhhbmgxLTArBgNV +BAkTJFN0cmVldCAxLCBMb25nIFRoYW5oIEluZHVzdHJpYWwgWm9uZTEPMA0GA1UE +ERMGNzYwMDAwMSEwHwYDVQQKExhNZWkgU2hlbmcgVGV4dGlsZXMgR3JvdXAxGTAX +BgNVBAsTEFRlY2hub2xvZ3kgR3JvdXAxHTAbBgNVBAMMFCouZGV2Lm1laXNoZW5n +Lmdyb3VwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArnfHjOSjdy8p +bkV0+Xq+9VCJHwNnaakOUJKSkW/Iw8/KbnNzT0Y9V3zFhKJMUaVsucTNneEbWOc3 +wdoe0C75PjYY9Bw3VSnyaXHF84QNy7LxM3E8X0R3rqETfJilzFA4nBtI5bx1WxNp +tSOOYSgcoD7W38mKPpNO3yKdEmrkl5YiunWQBChD+K7tlDewcHnWuJsBPHO+cRrz +rcfv6oozD2zlX5yBzF1lOVWV7TDnCjvyCYuUR9LvwswOkEi8gxnCZxlF9psHvb+a +5CoMleVct6Hgzo2lPe3t7f/eszdbkMIxN/CyIsqG+G5Ljr9M4dTTWhy6nnkF9MkA +i/wZGdKdmSIabXq2/nwlebSJA4sDUBzX+/8Wm2izHN9WqM0bmOdhrwF9uCfAI3d0 +iMeRzxGfJHVU6yml3PSyejc5SpHG4htnWbrZwJB0kxNCPVHYssajqyG41n9xS5dp +bdlP6nl0x1BLvESPKE0oksoDdEkZ1nudSW6uVnNA2idyAwplFD4H4Ww82zxdTwBY +i9nHtMAoizSyd1RxC6SRGaw5jgCaoBw95YbTftOQqH3meu3SWYGhFtpVMu2ZL4nz +7ZwAz/XMJXNdni/+O6hI9ajRSYkrYW5qU3sWXhpehHNGD+Z5MYse/Gl7qGB4P4G6 +3aWx0iFmlpi7EzNe7mG85+6oqsfXBYsCAwEAAaOCASIwggEeMA4GA1UdDwEB/wQE +AwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFOAu +oM+WwWMbylfcJQlkYkPMCi3dMB8GA1UdIwQYMBaAFMt26iTe4iesxaLqZl4u32/r +B6jJMEoGCCsGAQUFBwEBBD4wPDA6BggrBgEFBQcwAoYuaHR0cHM6Ly92YXVsdC5k +cy5tZWlzaGVuZy5ncm91cDo4MjAwL3YxL3BraS9jYTAfBgNVHREEGDAWghQqLmRl +di5tZWlzaGVuZy5ncm91cDBABgNVHR8EOTA3MDWgM6Axhi9odHRwczovL3ZhdWx0 +LmRzLm1laXNoZW5nLmdyb3VwOjgyMDAvdjEvcGtpL2NybDANBgkqhkiG9w0BAQsF +AAOCAQEAs0lsR2dVZNqe/4Rt4nB/YOz/GjnX2HU3EY9LNK0ItCpZNcoVGDiAPWn/ +tWzAVdSp9DfDl4SO26pKCTknGUUrBr08WtkR6CqUmZ7rf5cYl0gtG6LM3/Qn2wt6 +p14HYwJsgt3z3uJ8NGdp9SeamQuhMERz6uQ/t9ueeR806vJEZxJGb/bpHMYiEYyh +6FFwSnwSBLVUwR0aUqVCVg5yYnrjI/WVbLaXQLf1WBpbNl72sSBPnxxWzfb2ddvN +DkPD/w983xFNSys98E+N9XeSSOuzOocLvgqZkFlCU9J60sgS8Zyaxrt4H29WMvip +8nHYJG7vL61dt80BZioEuChMpRKKsw== +-----END CERTIFICATE----- diff --git a/certs/test_ssl.py b/certs/test_ssl.py new file mode 100755 index 0000000..2df4a90 --- /dev/null +++ b/certs/test_ssl.py @@ -0,0 +1,58 @@ +#!/usr/bin/env python3 +""" +Test SSL connections to Mei Sheng Group services with proper certificate verification. +""" +import requests +import urllib3 +import os +import sys + +# Disable only the specific warning for unverified HTTPS requests +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +def test_with_ca_bundle(): + """Test connections using the CA bundle""" + ca_bundle = os.path.join(os.path.dirname(__file__), 'meisheng_ca_bundle.pem') + + print("šŸ”’ Testing with CA Bundle...") + print(f"šŸ“ CA Bundle: {ca_bundle}") + + services = [ + ("Gitea", "https://gitea.dev.meisheng.group/api/v1/version"), + ("Nomad MCP", "https://nomad_mcp.dev.meisheng.group/api/health"), + ] + + for name, url in services: + try: + response = requests.get(url, verify=ca_bundle, timeout=5) + print(f"āœ… {name}: {response.status_code} - {response.text[:100]}") + except requests.exceptions.SSLError as e: + print(f"šŸ”“ {name}: SSL Error - {e}") + # Try with verification disabled to check if it's just a cert issue + try: + response = requests.get(url, verify=False, timeout=5) + print(f"āš ļø {name}: Works without SSL verification - {response.status_code}") + except Exception as e2: + print(f"āŒ {name}: Complete failure - {e2}") + except Exception as e: + print(f"āŒ {name}: Error - {e}") + +def test_with_system_certs(): + """Test connections using system certificates""" + print("\nšŸ”’ Testing with System Certificates...") + + services = [ + ("Gitea", "https://gitea.dev.meisheng.group/api/v1/version"), + ("Nomad MCP", "https://nomad_mcp.dev.meisheng.group/api/health"), + ] + + for name, url in services: + try: + response = requests.get(url, timeout=5) + print(f"āœ… {name}: {response.status_code}") + except Exception as e: + print(f"āŒ {name}: {e}") + +if __name__ == "__main__": + test_with_ca_bundle() + test_with_system_certs() \ No newline at end of file