Certificates at db4s.dbhub.io are expired

[EwenQuim]

[justinclift]

Oh, that's not good. Looking into it now...

[justinclift]

Oh hang on. Are you running on macOS?

If so, this is unlikely to work any time soon. For some unknown reason, macOS wants to insert itself into all https calls, so refuses to accept our custom root CA certificate. 😦 😦 😦

It's more an Apple problem than a "certificates are expired" problem.

[justinclift]

Thinking about it a bit more... it might work if you add our root CA certificate to your system keychain.

Probably best if we ask @lucydodo (our resident macOS packager) to look into that first though. Don't want to give you bad advice. 😄

[lucydodo]

This issue has been around since macOS Big Sur that starts validate certificates issue by self-signed CAs. :)
An immediate workaround is to enroll our CA certificate in the macOS keychain. See sqlitebrowser/sqlitebrowser#2829

[lucydodo]

@justinclift As an aside,
I think we should consider replacing our self-signed certifiacte with a certificate from a recognized authority. 🤔

[justinclift]

we should consider replacing our self-signed certifiacte with a certificate from a recognized authority.

Not going to happen. There's no way we could then issue client certificates to our users for them to load into DB4S.

[lucydodo]

Well, so right now on macOS, users can't access DBHub without registering a CA certificate, so do we need to guide them through that in the program (for example, pointing them to a wiki page)? 😄

[justinclift]

We should probably do two things:

1. Test the concept first in a playground environment (VM, container, etc), just to make sure it does work as desired

2. Think through whether there will be unintended issues (security, etc) from manually adding a new root CA certificate to people's system keychain

---

For 2) there might be. I can't put my finger on the exact problem right at the moment, but there's a large warning alert type thing going off in my head when I think about us doing this.

Something along the lines of reducing security for people from an external person's point of view, because our custom root CA could (in theory) do something like generate certificates for any domain. Which would be trusted by the users computer because our root CA is now in their system keychain.

Us not actually generating certificates for anything other than DB4S is kind of beside the point, as the capability would be there. 😦

---

What we should probably do, is see if the suggestions in that DB4S issue for adjusting our certificates will let them work with macOS. I've not really had the mental head space to look into it though. If you're interested, then you're welcome to though. 😄

[lucydodo]

I'd probably want to fix this before the next release.
As it is, you've explained it well enough, but maybe my knowledge is a bit limited, Do you mind if I ask you to elaborate?