🔒 Add SSL certificate chain for Mei Sheng Group services

- Extract and configure Mei Sheng Group CA certificates - Create certificate bundle for proper SSL verification - Add SSL test script to verify connections - Configure environment for trusted SSL connections - Resolve SSL verification issues with Gitea and internal services - Add comprehensive SSL setup documentation Fixes: - Gitea SSL verification now works with CA bundle - Python requests can verify internal SSL certificates - Proper certificate chain established for internal services Note: nomad_mcp hostname has underscore causing SSL hostname mismatch - Service works but requires SSL verification workaround 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-05-31 11:59:45 +07:00
parent a0bd71e438
commit bc67c9f502
9 changed files with 253 additions and 0 deletions
--- a/certs/README.md
+++ b/certs/README.md
@ -0,0 +1,72 @@
+# Mei Sheng Group SSL Certificates
+
+This folder contains the SSL certificate chain for Mei Sheng Group internal services.
+
+## Certificate Chain
+
+1. **Intermediate CA**: `Mei_Sheng_Group_Intermediate_CA_02`
+   - File: `intermediate_ca.pem`, `meisheng_ca_bundle.pem`
+   - Valid: Sep 14, 2020 - Sep 13, 2025
+   - Issuer: Mei_Sheng_Group_RootCA
+
+2. **Server Certificate**: `*.dev.meisheng.group`
+   - File: `server_cert.pem`
+   - Valid: May 30, 2025 - May 31, 2025 (expires soon!)
+   - Covers: gitea.dev.meisheng.group, nomad_mcp.dev.meisheng.group
+
+## Usage
+
+### For Python Applications
+
+Use the CA bundle to verify SSL connections:
+
+```python
+import requests
+
+# Use the CA bundle for requests
+response = requests.get(
+    'https://gitea.dev.meisheng.group',
+    verify='/path/to/certs/meisheng_ca_bundle.pem'
+)
+```
+
+### For curl
+
+```bash
+curl --cacert certs/meisheng_ca_bundle.pem https://gitea.dev.meisheng.group
+```
+
+### For Git
+
+```bash
+# Configure git to use the CA bundle
+git config http.sslCAInfo /path/to/certs/meisheng_ca_bundle.pem
+```
+
+### For MCP/Claude Code
+
+Add to environment variables:
+
+```bash
+export REQUESTS_CA_BUNDLE=/path/to/certs/meisheng_ca_bundle.pem
+export SSL_CERT_FILE=/path/to/certs/meisheng_ca_bundle.pem
+```
+
+## Certificate Renewal
+
+⚠️ **Important**: The server certificate expires on May 31, 2025. It needs to be renewed soon.
+
+## System Trust Store (Optional)
+
+To install the CA in the system trust store:
+
+### macOS
+```bash
+sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certs/meisheng_ca_bundle.pem
+```
+
+### Linux
+```bash
+sudo cp certs/meisheng_ca_bundle.pem /usr/local/share/ca-certificates/meisheng-ca.crt
+sudo update-ca-certificates
+```