4

Xcode Server that comes with Xcode 9 now automatically generates SSL certificates for communication between server and clients. It also uses this certificate when communicating with the Xcode Server REST API. Is there a way to specify or replace the autogenerated keys and use a certificate from a trusted third party (like LetsEncrypt)?

The apache configuration file located at

/Library/Developer/XcodeServer/Configuration/httpd_os_xcs.conf

contains this information:

Listen 443
<VirtualHost *:443>
    # Xcode Server uses its own self-signed certificates
    # only if no other SSL configurations for Apache have been found
    <IfModule !ssl_module>
        LoadModule ssl_module libexec/apache2/mod_ssl.so
        SSLEngine on
        SSLCertificateFile /Library/Developer/XcodeServer/Certificates/apache.crt
        SSLCertificateKeyFile /Library/Developer/XcodeServer/Certificates/apache.key
    </IfModule>
    [...]
    <IfModule mod_proxy.c>
        SSLProxyEngine On
        SSLProxyCheckPeerCN Off

        ProxyPass /xcode/internal/api https://127.0.0.1:20343/api retry=0 timeout=30
        ProxyPassReverse /xcode/internal/api https://127.0.0.1:20343/api
        ProxyPass /xcode/internal/socket.io https://127.0.0.1:20343/socket.io retry=0 timeout=30
        ProxyPassReverse /xcode/internal/socket.io https://127.0.0.1:20343/socket.io
    </IfModule>
    [...]
</VirtualHost>

I believe the certificate is also part of the apache.keychain file found at

/Library/Developer/XcodeServer/Keychains/apache.keychain

but I haven't been able to verify that.

Every time the Xcode Server service is started in Xcode, the apache.{crt/key} files as well as the httpd_os_xcs.conf files are overwritten, so simple replacing/modifying these files does not appear to be an option.

The only way forward I can see is to implement some other SSL configuration as suggested in the http_os_xcs.conf file, but I can't seem to get that to work either.

Any suggestions or solutions are greatly appreciated.

richardpiazza
  • 1,487
  • 10
  • 23
  • In further testing with this, I've found that the current system may never allow this functionality. I've filed a bug report with apple along similar issues (http://www.openradar.me/36835365). – richardpiazza Feb 07 '18 at 19:04
  • Have you seen any changes with this in Xcode 9.3? I'm trying to set this up with no luck as well – Serenade X Apr 23 '18 at 20:41
  • @SerenadeX Unfortunately there has been no change in in Xcode 9.3. I'm guessing that using a custom certificate is probably not going to be supported anywhere in the near future. I've moved on from trying to work with this configuration. What specifically are you trying to accomplish with your setup, maybe there is a workaround I can help with. – richardpiazza Apr 24 '18 at 17:29
  • Well at my work they are quite particular about the network. We have some Mac Minis we want to set this up on and then our QA team could download the builds. But if we try to go there with the self signed certificate then it warns us about the site's insecurities. If we are not on an iOS device then we can't get to the web server at all (probably because of our network) – Serenade X Apr 25 '18 at 19:20
  • There are two ways to deal with this of which I am aware. 1) Have your QA team use Xcode to connect to the server and download the builds from the integration results. (I think this is the direction Apple would probably have you take). 2) Use the Xcode Server API to build a custom solution for your QA team to view and download builds. – richardpiazza Apr 26 '18 at 12:53

1 Answers1

0

This is what worked for me on macOS Mojave (10.14).

Installing the certificate via the Server app

  1. Install the "Server" app from the App Store (version 5.8)
  2. Generate a server certificate request from the Server app for your domain
  3. Send the request file to certificate provider to obtain a certificate
  4. From the Server app import the certificate and set it in the dropdown "Secure services using"

These steps could be done in some other way, but initially I wanted to use a "blessed" macOS way, and then the problems started :)

I wanted to use this certificate directly by the system Apache (which is what serves the https://example.com/xcode page), but the documentation is lacking, the only thing I've found is this migration guide where they speak about mod_secure_transport, which should be used instead of mod_ssl. This guide assumes that it is already configured, but mod_secure_transport is not present in the default Mojave Apache configs (those reside in /etc/apache2).

So let's do it manually the old-school way:

Preparing the Apache certificate files manually

  1. Copy your certificate file to /etc/apache2/server.crt
  2. Find your certificate in Keychain app, and export your certificate private key in p12 format from there.

  3. Convert your private key to the format expected by Apache:

    openssl pkcs12 -in exported_private_key.p12 -nodes -out server.key -nocerts

  4. Copy server.key to /etc/apache2/server.key

Configuring Apache manually

In /etc/apache2/httpd.conf :

  1. Uncomment these lines:

    LoadModule ssl_module libexec/apache2/mod_ssl.so
...
LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so

  2. Find "IfModule ssl_module" section and add:

    SSLCertificateFile "/private/etc/apache2/server.crt"
SSLCertificateKeyFile "/private/etc/apache2/server.key"

  3. Test the config:

    sudo apachectl configtest

  4. Restart:

    sudo apachectl restart

If all is good, it is ready, and you can observe the result at https://example.com/xcode

battlmonstr
  • 5,841
  • 1
  • 23
  • 33
  • What happens when the Xcode Service is stopped and started again from the Xcode preferences? Does the custom SSL services continue to be used, or does Xcode overwrite the certificates? (That's the behavior that I have observed). – richardpiazza Jun 06 '19 at 22:27
  • I didn't find a restart button. It is possible to disable and enable it, but I didn't want to disrupt it now. If you can test and check, and post feedback, that would be great. The Xcode-related config is in this file - /etc/apache2/other/httpd_xcs.conf , but in this instruction I only change /etc/apache2/httpd.conf . In case that file gets rewritten, you could potentially back it up, and restore after Xcode reconfiguration maybe? – battlmonstr Jun 07 '19 at 11:33